Full Disclosure mailing list archives
Re: Wachovia Bank website sends confidential information
From: Bob Toxen <bob () verysecurelinux com>
Date: Wed, 11 Jul 2007 03:28:45 -0400
On Tue, Jul 10, 2007 at 09:39:33PM -0400, Jim Popovitch wrote:
On Tue, 2007-07-10 at 20:20 -0400, Bob Toxen wrote:VI. VENDOR RESPONSE
The vendor (Wachovia Bank) was notified via their customer service phone number on June 25. We were transferred to "web support". The person answering asked us to FAX the details to her and we did so, also on June 25. We explained that we were reporting a severe security problem on their web site.
Severe? All that seems to be leaked is a person's Name/Address/SSN number and some other details. While this is too much info to leak, I'd hardly say it's severe. That same info can be easily found in people's mailboxes weekdays between noon and 4pm.
Leaking a SSN is considered serious. My use of the term "severe" was to get their attention.
We stated that that if we did not hear back from them within 7 days and the problem was not fixed by then that we would post the problem on the Full Disclosure list, following accepted industry practice.
7 days? "industry practice"? Come on Bob I know you know that large corporations can't feed a cat in 7 days let alone make unscheduled website changes that fast. Change control approvals alone would include 14 or more days in most enterprises. Why the rush to "say so"?
Please read my posting more carefully. I stated that if I did not hear back within 7 days and the problem persisted then I would disclose it. All they had to do was to ask for more time and I would have granted any reasonable extension. Instead, it appears that they ignored my report; discouraging that is what Full Disclosure is all about, IMO. I think that that web page should have been shut down within the hour as any competent web person could have confirmed the leak with a few minutes' inspection of the page source.
-Jim P.
Bob _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Wachovia Bank website sends confidential information, (continued)
- Re: Wachovia Bank website sends confidential information Tremaine Lea (Jul 10)
- Re: Wachovia Bank website sends confidential information Valdis . Kletnieks (Jul 10)
- Re: Wachovia Bank website sends confidential information J. Oquendo (Jul 11)
- Re: Wachovia Bank website sends confidential information kazaam (Jul 11)
- Re: Wachovia Bank website sends confidential information Bob Bruen (Jul 11)
- Re: Wachovia Bank website sends confidential information J. Oquendo (Jul 11)
- Re: Wachovia Bank website sends confidential information Jim Popovitch (Jul 11)
- Re: Wachovia Bank website sends confidential information Bob Bruen (Jul 11)
- Re: Wachovia Bank website sends confidential information Security Guy (Jul 11)
- Re: Wachovia Bank website sends confidential information Bob Toxen (Jul 11)
- Re: Wachovia Bank website sends confidential information Peter Dawson (Jul 11)