('binary' encoding is not supported, stored as-is) Summary
  CitiBank's online cash site, C2IT.com, has
substantial vulnerabilities
  to Cross Site Scripting. The site is similar to PayPal
in that it
  lets users attach Bank and Credit Card account to
this online system.
  Users can then "send" cash to any user via their
email address.

  The site leaves nearly every form field un-filtered.
The site also
  displays credit card numbers, bank account
numbers, security codes
  and other data with no obfuscation. This info is then
available to
  javascript through cross site scripting. Citibank
was notified 4
  months ago about problems with their sites and
many times since,
  however, no noticeable actions have been taken
yet.
  
  This alert documents two sample attacks:
  -Gaining access to user's credit card and bank
account numbers
  -Scripting cash transfers out of users accounts
and/or credit cards

Details

  http://www.devitry.com/c2it-security.html

   I'm not posting the javascript examples here as
many email servers now reject email with even the
hint of javascript in them. (Hmm, maybe that is a bad
thing if someone is not actually getting what may be
an important email?)

 -dave
  devitry.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]