Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Capital One's website inadvertently assists phishing

from [Joseph Barillari] Network Security [Permanent Link]
Subject: Re: Capital One's website inadvertently assists phishing
Date: Tue, 19 Apr 2005 19:12:09 -0400 
On Tue, Apr 19, 2005 at 05:30:28PM -0500, dramatools wrote:

However, I clicked your "proof of concept" link and found that the
redirector did not send me to Wikipedia as expected, but Capital One's
home page.  Perhaps one of their security people is lurking on bugtraq
and attempted to fix the problem on the spot.  I'll keep monitoring this
one.


Looks like full disclosure worked. Thanks!

http://barillari.org/blog/computers/internet/conephishing-updated.html 

Timeline (should be mostly complete):

|13 Apr 01:28:45 -0400|Phishing email exploiting unchecked redirect arrives|
|13 Apr 01:54:51 -0400|Emailed webinfo@capitalone.com to report it|
|13 Apr 01:53:00 -0400|Blog post 
"posted":http://barillari.org/blog/computers/internet/conephishing.html|
|13 Apr 16:29:45 -0400|Inform Capital One of my intention to post to 
"bugtraq":http://securityfocus.org/archive/1 in 24 hours|
|13 Apr 16:31:11 -0400|Capital One form letter arrives:  "this [phishing] email 
has not compromised Capital One's systems in any way,"|
|13 Apr 16:44:42 -0400|Reply to Capital One form letter: "this email _has_ 
taken advantage of a compromised Capital One system: Capital One's website 
redirects URLs without checking them....please see the note about bugtraq 
below"|
|13 Apr 16:47:15 -0400|Another form letter: "A Capital One representative will 
respond to your e-mail inquiry, usually within 24 - 48 hours. Please note, due 
to high email volumes, this timeframe may be extended to up to 72 hours". I 
wonder if saying "bugtraq" provokes this response.|
|19 Apr 16:32:15 -0400|Four business days later (well beyond 72h), redirect is 
still unchecked. "Post":http://www.securityfocus.com/archive/1/396255 bug to 
bugtraq and cc Capital One|
|19 Apr 16:53:46 -0400|Reply to Capital One (signed by a human?) form letter:  
"the point is that the phishing email _has_ exploited a flaw in Capital One's 
systems. Your website permits unchecked redirects. This makes a phisher's job 
much, much easier.|
|19 Apr 18:01:00 -0400|A bugtraq subscriber tells me that he's emailed 
abuse@capitalone.com (I should have thought of that)|
|19 Apr 14:27:05 -0800|<b>Another bugtraq subscriber tells me that it's 
fixed.</b> Checked myself --- apparently, it is.|
|19 Apr 18:55:38 -0400|Send email to webinfo@, thanking them for fixing the 
unchecked redirect.|
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Multiple Security Issues Found In AZBB, GulfTech Security Research
Next by Date:  Re: Capital One's website inadvertently assists phishing, Allen Parker
Previous by Thread:  Capital One's website inadvertently assists phishing, Joseph Barillari
Next by Thread:  Re: Capital One's website inadvertently assists phishing, Allen Parker
Indexes:  [Date] [Thread] [Top] [All Lists]