Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Bank One Online puts bank card numbers at risk of exposure

From: C Matthew Curtin <cmcurtin () INTERHACK NET>
Date: Wed, 25 Oct 2000 21:36:43 -0400
Bank One Online (www.bankoneonline.com) stores customer account
information -- specifically, credit and/or debit card numbers -- in
insecure cookies.  There are several problems:

 o Although the cookie is sent from the server to the browser in an
   encrypted channel, the flag used to prevent the browser from
   sending the cookie back in cleartext is not set.  Thus, it is
   possible that the browser could send the bank card number across
   the Internet in the clear.

 o The bank card number is stored "in the clear" on the local disk.
   Thus, people with access to read the cookies file will be able to
   read the bank card number.  This is a larger threat in networked
   computing environments, particularly where the user's cookies
   aren't saved on the local disk, but on a centralized network
   server.  These files are not always properly protected to prevent
   others from reading them.

 o Another risk that comes from putting the bank card number in a
   cleartext cookie is that it can be read by someone on the local
   network with a packet sniffer if the cookies are saved on a network
   server.

 o Finally, there are bugs in some browsers that make it possible for
   a malicious web site to have the user's cookies uploaded without
   approval.  Such a site would be able to collect the bank card
   numbers of Bank One Online users.  Although patches have been
   released, not everyone is running the latest patch level of the
   browser, and this clearly demonstrates that such bugs are
   possible and such mistakes could be made again.

We have detailed the problem and outlined a solution in our report
"Bank One Online Puts Customer Account Information at Risk."

Some common questions and their answers are available at
http://www.interhack.net/news/bankone.20001025.html.

The full report is available at
http://www.interhack.net/pubs/bankone-online/.

Compute safely.

--
Matt Curtin, Founder   Interhack Corporation   http://www.interhack.net/
"Building the Internet, Securely."   research | development | consulting
Previous By Date Next
Previous By Thread Next

Current thread: