Full Disclosure mailing list archives
Re: Wachovia Bank website sends confidential information
From: scott <redhowlingwolves () bellsouth net>
Date: Tue, 10 Jul 2007 20:49:55 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Maybe that's why they have the focus of some phishing attacks recently. Easy to get the victims login,especially if they were redirected through another site first. MITM made easy 101? Regards, Scott Bob Toxen wrote:
Wachovia Bank website sends confidential information (social security numbers, phone number, address, etc.) over the Internet without encryption. Horizon Network Security Security Advisory 07/10/2007 http://VerySecureLinux.com/ Jul 10, 2007 I. BACKGROUND Wachovia Bank's official web site offers the following URL to allow its customers to change their privacy preferences: http://www.wachovia.com/privacy Wachovia also notified its customers by U.S. Mail that they can use that same URL besides. That URL has a link to the following to actually change one's preferences: http://www.wachovia.com/personal/forms/privacy_optout Unfortunately, that page appears to be an ordinary HTML form whose "filled out data" then is transmitted via the "post" method to an http (not https) URL. III. ANALYSIS We inspected the page's source via our Opera browser. (We did not sniff the web traffic so we are not absolutely sure that there is not some hidden encryption method, though there appears to be none.) IV. DETECTION It is trivial to inspect the page source or sniff the data to demonstrate the problem. The problem has not been corrected. V. WORKAROUND Use a method other than their web site to exercise one's preferences. VI. VENDOR RESPONSE The vendor (Wachovia Bank) was notified via their customer service phone number on June 25. We were transferred to "web support". The person answering asked us to FAX the details to her and we did so, also on June 25. We explained that we were reporting a severe security problem on their web site. We stated that that if we did not hear back from them within 7 days and the problem was not fixed by then that we would post the problem on the Full Disclosure list, following accepted industry practice. To date we have received no response and the problem remains unfixed. VII. CVE INFORMATION There is no CVE number. VIII. DISCLOSURE TIMELINE 06/25/2007 Initial vendor notification 06/25/2007 Vendor requested FAXed details 06/25/2007 Details FAXed to vendor 07/20/2007 No vendor response 07/20/2007 Public disclosure on this Full Disclosure list IX. CREDIT This problem was discovered by Bob Toxen, one of our engineers. X. LEGAL NOTICES Copyright © 2007 Horizon Network Security. All rights reserved. Permission is granted for the redistribution of this alert electronically. It may not be edited without the express written consent of Horizon Network Security. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail btoxen () VerySecureLinux com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing, based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition and waiving of the right to any action against Horizon Network Security or its employees or contractors. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. We believe Wachovia Bank is obligated by California's security breach disclosure laws to notify its California customers who may have used this form and the State of California. Other jurisdictions also may have notification requirements. Bob Toxen, Horizon Network Security http://www.verysecurelinux.com [Network & Linux/Unix Security Consulting] http://www.realworldlinuxsecurity.com [Our 5* book: "Real World Linux Security"] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGlCkzelSgjADJQKsRAkmxAKCr4OkyXTU1GuUzoOJ2t+6CX47EUwCdHm/9 HhSRnZYhK/VA4+YZ/FBEflU= =crs5 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Wachovia Bank website sends confidential information Bob Toxen (Jul 10)
- Re: Wachovia Bank website sends confidential information scott (Jul 10)
- Re: Wachovia Bank website sends confidential information Jim Popovitch (Jul 10)
- Re: Wachovia Bank website sends confidential information Tremaine Lea (Jul 10)
- Re: Wachovia Bank website sends confidential information Valdis . Kletnieks (Jul 10)
- Re: Wachovia Bank website sends confidential information J. Oquendo (Jul 11)
- Re: Wachovia Bank website sends confidential information kazaam (Jul 11)
- Re: Wachovia Bank website sends confidential information Bob Bruen (Jul 11)
- Re: Wachovia Bank website sends confidential information J. Oquendo (Jul 11)
- Re: Wachovia Bank website sends confidential information Jim Popovitch (Jul 11)
- Re: Wachovia Bank website sends confidential information Bob Bruen (Jul 11)
- Re: Wachovia Bank website sends confidential information Security Guy (Jul 11)