Bugtraq mailing list archives
Bank One Online puts bank card numbers at risk of exposure
From: C Matthew Curtin <cmcurtin () INTERHACK NET>
Date: Wed, 25 Oct 2000 21:36:43 -0400
Bank One Online (www.bankoneonline.com) stores customer account information -- specifically, credit and/or debit card numbers -- in insecure cookies. There are several problems: o Although the cookie is sent from the server to the browser in an encrypted channel, the flag used to prevent the browser from sending the cookie back in cleartext is not set. Thus, it is possible that the browser could send the bank card number across the Internet in the clear. o The bank card number is stored "in the clear" on the local disk. Thus, people with access to read the cookies file will be able to read the bank card number. This is a larger threat in networked computing environments, particularly where the user's cookies aren't saved on the local disk, but on a centralized network server. These files are not always properly protected to prevent others from reading them. o Another risk that comes from putting the bank card number in a cleartext cookie is that it can be read by someone on the local network with a packet sniffer if the cookies are saved on a network server. o Finally, there are bugs in some browsers that make it possible for a malicious web site to have the user's cookies uploaded without approval. Such a site would be able to collect the bank card numbers of Bank One Online users. Although patches have been released, not everyone is running the latest patch level of the browser, and this clearly demonstrates that such bugs are possible and such mistakes could be made again. We have detailed the problem and outlined a solution in our report "Bank One Online Puts Customer Account Information at Risk." Some common questions and their answers are available at http://www.interhack.net/news/bankone.20001025.html. The full report is available at http://www.interhack.net/pubs/bankone-online/. Compute safely. -- Matt Curtin, Founder Interhack Corporation http://www.interhack.net/ "Building the Internet, Securely." research | development | consulting
Current thread:
- Bank One Online puts bank card numbers at risk of exposure C Matthew Curtin (Oct 27)
- Some points of detail on Bank One Online cookies C Matthew Curtin (Oct 27)