[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
C2IT.com Cross Site Scripting Vulnerability
Summary
CitiBank's online cash site, C2IT.com, has
substantial vulnerabilities
to Cross Site Scripting. The site is similar to PayPal
in that it
lets users attach Bank and Credit Card account to
this online system.
Users can then "send" cash to any user via their
email address.
The site leaves nearly every form field un-filtered.
The site also
displays credit card numbers, bank account
numbers, security codes
and other data with no obfuscation. This info is then
available to
javascript through cross site scripting. Citibank
was notified 4
months ago about problems with their sites and
many times since,
however, no noticeable actions have been taken
yet.
This alert documents two sample attacks:
-Gaining access to user's credit card and bank
account numbers
-Scripting cash transfers out of users accounts
and/or credit cards
Details
http://www.devitry.com/c2it-security.html
I'm not posting the javascript examples here as
many email servers now reject email with even the
hint of javascript in them. (Hmm, maybe that is a bad
thing if someone is not actually getting what may be
an important email?)
-dave
devitry.com
This mailing list archive is a service of Copilotco.