Bank of America Online Banking Security

[Brad Will <duke33 () yahoo com>]

TOPIC:  Bank Of America Online Banking Website 
Vulnerable to Reauthentication of Logged Out 
Sessions

DATE:  9-13-2001
FOUND BY: Brad Will
STATUS: Bank of America's Customer Service and 
Technical Support were notified in 8/1/2001.  Both 
replied with canned "this will be forwarded to the 
appropriate parties" responses.

DESCRIPTION: Users of the Bank of America Online 
Banking website are vulnerable to a basic web 
security hole.  After logging the current session out, a 
user can back up to a cached page 
(https://onlineid.bankofamerica.com/cgi-
bin/sso.login.controller) in their browser's history.  
(This is most easily reproduced in Netscape.  In 
MSIE, the user will more than likely be automatically 
redirected to another page.)
Once on this page, the user can press the "refresh" 
button in their browser.  This will repost the login 
credentials from the previous login, creating a new 
session, and logging the user in to the site.

FIX:  There are numerous ways to solve this 
problem.  One common method is to insert a hidden 
field containing a number into the HTML. Then, this 
number is tied to a specific session.  If the session 
has already been logged out, when the form is 
reposted, the hidden value will have already been 
used, and access is not allowed.