Bugtraq mailing list archives
Bank of America Online Banking Security
From: Brad Will <duke33 () yahoo com>
Date: 14 Sep 2001 05:03:10 -0000
TOPIC: Bank Of America Online Banking Website Vulnerable to Reauthentication of Logged Out Sessions DATE: 9-13-2001 FOUND BY: Brad Will STATUS: Bank of America's Customer Service and Technical Support were notified in 8/1/2001. Both replied with canned "this will be forwarded to the appropriate parties" responses. DESCRIPTION: Users of the Bank of America Online Banking website are vulnerable to a basic web security hole. After logging the current session out, a user can back up to a cached page (https://onlineid.bankofamerica.com/cgi- bin/sso.login.controller) in their browser's history. (This is most easily reproduced in Netscape. In MSIE, the user will more than likely be automatically redirected to another page.) Once on this page, the user can press the "refresh" button in their browser. This will repost the login credentials from the previous login, creating a new session, and logging the user in to the site. FIX: There are numerous ways to solve this problem. One common method is to insert a hidden field containing a number into the HTML. Then, this number is tied to a specific session. If the session has already been logged out, when the form is reposted, the hidden value will have already been used, and access is not allowed.
Current thread:
- Bank of America Online Banking Security Brad Will (Sep 14)
- <Possible follow-ups>
- Re: Bank of America Online Banking Security Eric N. Valor (Sep 14)