Full Disclosure mailing list archives

Re: Wachovia Bank website sends confidential information

From: "Steve Ragan" <sragan () indy rr com>
Date: Wed, 11 Jul 2007 12:38:54 -0400

The link now redirects to an HTTPS page

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Bob Toxen
Sent: Tuesday, July 10, 2007 8:20 PM
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] Wachovia Bank website sends confidential
information

Wachovia Bank website sends confidential information (social security
numbers, phone number, address, etc.) over the Internet without encryption.

Horizon Network Security Security Advisory 07/10/2007
http://VerySecureLinux.com/ Jul 10, 2007

I. BACKGROUND

Wachovia Bank's official web site offers the following URL to allow its
customers to change their privacy preferences:

     http://www.wachovia.com/privacy

Wachovia also notified its customers by U.S. Mail that they can use that
same URL besides.

That URL has a link to the following to actually change one's
preferences:

     http://www.wachovia.com/personal/forms/privacy_optout

Unfortunately, that page appears to be an ordinary HTML form whose "filled
out data" then is transmitted via the "post" method to an http (not https)
URL.

III. ANALYSIS

We inspected the page's source via our Opera browser.  (We did not sniff the
web traffic so we are not absolutely sure that there is not some hidden
encryption method, though there appears to be none.)

IV. DETECTION

It is trivial to inspect the page source or sniff the data to demonstrate
the problem.  The problem has not been corrected.

V. WORKAROUND

Use a method other than their web site to exercise one's preferences.

VI. VENDOR RESPONSE

The vendor (Wachovia Bank) was notified via their customer service phone
number on June 25.  We were transferred to "web support".  The person
answering asked us to FAX the details to her and we did so, also on June 25.
We explained that we were reporting a severe security problem on their web
site.

We stated that that if we did not hear back from them within 7 days and the
problem was not fixed by then that we would post the problem on the Full
Disclosure list, following accepted industry practice.

To date we have received no response and the problem remains unfixed.

VII. CVE INFORMATION

There is no CVE number.

VIII. DISCLOSURE TIMELINE

06/25/2007  Initial vendor notification
06/25/2007  Vendor requested FAXed details
06/25/2007  Details FAXed to vendor

07/20/2007  No vendor response
07/20/2007  Public disclosure on this Full Disclosure list

IX. CREDIT

This problem was discovered by Bob Toxen, one of our engineers.

X. LEGAL NOTICES

Copyright C 2007 Horizon Network Security.  All rights reserved.

Permission is granted for the redistribution of this alert electronically.
It may not be edited without the express written consent of Horizon Network
Security.  If you wish to reprint the whole or any part of this alert in any
other medium other than electronically, please e-mail
btoxen () VerySecureLinux com for permission.

Disclaimer: The information in the advisory is believed to be accurate at
the time of publishing, based on currently available information.  Use of
the information constitutes acceptance for use in an AS IS condition and
waiving of the right to any action against Horizon Network Security or its
employees or contractors.

There are no warranties with regard to this information.  Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.

We believe Wachovia Bank is obligated by California's security breach
disclosure laws to notify its California customers who may have used this
form and the State of California.  Other jurisdictions also may have
notification requirements.

Bob Toxen,
Horizon Network Security
http://www.verysecurelinux.com       [Network & Linux/Unix Security
Consulting]
http://www.realworldlinuxsecurity.com [Our 5* book: "Real World Linux
Security"]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

--
No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.476 / Virus Database: 269.10.2/893 - Release Date: 7/9/2007
5:22 PM

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Wachovia Bank website sends confidential information, (continued)
- - Re: Wachovia Bank website sends confidential information Valdis . Kletnieks (Jul 10)
    - Re: Wachovia Bank website sends confidential information J. Oquendo (Jul 11)
    - Re: Wachovia Bank website sends confidential information kazaam (Jul 11)
    - Re: Wachovia Bank website sends confidential information Bob Bruen (Jul 11)
    - Re: Wachovia Bank website sends confidential information J. Oquendo (Jul 11)
    - Re: Wachovia Bank website sends confidential information Jim Popovitch (Jul 11)
    - Re: Wachovia Bank website sends confidential information Bob Bruen (Jul 11)
    - Re: Wachovia Bank website sends confidential information Security Guy (Jul 11)
  - Re: Wachovia Bank website sends confidential information Alexander Sotirov (Jul 10)
  - Re: Wachovia Bank website sends confidential information Bob Toxen (Jul 11)
- Re: Wachovia Bank website sends confidential information Steve Ragan (Jul 11)
  - Re: Wachovia Bank website sends confidential information Bob Toxen (Jul 11)
    - Re: Wachovia Bank website sends confidential information Peter Dawson (Jul 11)
- Re: Wachovia Bank website sends confidential information Bob Toxen (Jul 12)