|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Eric N. Valor (ericv
scruznet.com)Date: Fri Sep 14 2001 - 14:57:54 CDT
The other solution to this problem is more of a social-engineering
workaround. Whenever I use an online banking session, after logging out of
the session I always scrub both the memory and disk caches of my browser
immediately after leaving the secure area.
>Date: 14 Sep 2001 05:03:10 -0000
>From: Brad Will <duke33yahoo.com>
>To: bugtraqsecurityfocus.com
>Subject: Bank of America Online Banking Security
>
>TOPIC: Bank Of America Online Banking Website
>Vulnerable to Reauthentication of Logged Out
>Sessions
>
>DATE: 9-13-2001
>FOUND BY: Brad Will
>STATUS: Bank of America's Customer Service and
>Technical Support were notified in 8/1/2001. Both
>replied with canned "this will be forwarded to the
>appropriate parties" responses.
>
>DESCRIPTION: Users of the Bank of America Online
>Banking website are vulnerable to a basic web
>security hole. After logging the current session out, a
>user can back up to a cached page
>(https://onlineid.bankofamerica.com/cgi-
>bin/sso.login.controller) in their browser's history.
>(This is most easily reproduced in Netscape. In
>MSIE, the user will more than likely be automatically
>redirected to another page.)
>Once on this page, the user can press the "refresh"
>button in their browser. This will repost the login
>credentials from the previous login, creating a new
>session, and logging the user in to the site.
-- Eric N. Valor ericv- This Space Intentionally Left Blank -
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]