Security Basics mailing list archives
Dexia website security alert
From: Jos Kirps <jos () kirps com>
Date: Fri, 26 Jan 2007 16:05:06 +0100
A few days ago I sent a mail to the Dexia bank (www.dexia.lu) about their
website.They have two logins, one is for the online banking account and one is for some kind of members' area. The problem with the "members' login" was that a) it was
not SSL encrypted and b) it used to send bad usernames and passwords in clear text back to the browser.So here's the critical point: If you wanted to use your online banking but selected the wrong login by mistake your (correct) username and password were refused (still ok), sent back to the browser in clear text and stored in the
browser cache (well...).I sent them the info via mail (see below), they replied using a standard "thank you for your mail" answer and 24 hours later the login was changed. But I didn't get any further feedback so I mailed them again to get some kind of statement, but they simply replied that "The risk, that you evoked, is really weak" aso.
So, after all, they seem to think that this was just "peanuts" and not worth talking about. I, on the other hand, think that this was more than critical and
that there could still be passwords stored out there in browser caches. So what do you think about this? Has anyone any experience with banks? Best regards Jos Kirps ===== the original mail ===== To: contact () dexia-bil lu, technique () dexia-bil lu From: Jos Kirps <jos () kirps com> Subject: Dexia website security alert Date: Tue, 23 Jan 2007 08:39:36 +0100 synopsis: dexia website member access uses a crappy login that allows to retrieve member usernames or passwords an eventually even bank account usernames and passwords. url: <http://www.dexia-bil.lu/webquotes/index1.asp?=20 h=3D1&lang=3Den&menu=3Donl&href=3Dprofil_logon2.asp?lang=3Den> description: there are two basic problems with this page: a) there is no ssl encryption and b) if you enter a bad username or password both username and password are returned in cleartext to the browser. so everyone can read them on the page source or retrieve them from the browser cache (tested, works fine). i think another huge problem is related to the design of the site entrance page itself - there is a "dexiaplus login" for account holders and a "members' login" (which is the weak one described above). now if you are an account holder an chose "members' login" instead of "dexiaplus login" by mistake (and i think this could definately happen) and enter your bank account username and password here you'll get an "access denied" - which is perfectly okay, but - and this is the =20 *really bad* news - your bank account username and password will be returned in clear text by the dexia server, and hence stored in your browser cache where they can easily be retrieved by anyone who has access to your computer (if it hasn't already been captured via the network before...). solutions / suggestions: ssl encryption on the members' login page, and never return password field contents in clear text to the browser (especially if you're a =20 bank :-). note: even if you get the bank account username and password you'll still need a TAN code to access an account, so this doesn't give you direct access to someones online bank account. but it definately gets you *a lot* closer!!! finally: please reply, fix & credit within the usual timeframes. will be posted on bugtraq afterwards.... don't hesitate to contact me if you have further questions best regards jos kirps ------------------------------------------------------ Jos Kirps ----------------------------------------------------- 14, Cité op Gewännchen 4383 Ehlerange Luxembourg ----------------------------------------------------- jos () kirps com http://www.kirps.com ----------------------------------------------------- joskirps () googlemail com http://sourceforge.net/users/joskirps skype: joskirps, jos () kirps com -----------------------------------------------------
Current thread:
- Dexia website security alert Jos Kirps (Jan 26)