Penetration Testing mailing list archives
Internet Bank Vulnerable!
From: "Kelvin" <kelvin () sec33 com>
Date: Sat, 23 Jun 2001 20:25:56 -0500
This is highly interesting. I have discovered several Internet Banks that are vulnerable to many standard IIS vulnerabilities. Many of the exploits are quite old. Well for obvious reasons I notified the Bank and the vendor of the Internet Banking solution. I waited until today, which is 48 hours since the email and telephone notification and the Bank is still vulnerable. It amazes me every time something like this happens, it might not be so bad if it were cookies on a cooking website but it really is financial information on the website of a respected bank, it freaks me out even more. As a test, I ran a search string on the file system looking for various combinations such as: "$1,1", "0.12", "1,1" Amazingly enough I came up with entire listings of transactions and account data. The records included names, phone, numbers, credit cards, and the like. No socials.. That I felt good about. Has anyone else had a scenario as serious as this? I am wondering if there is a lesson someone here needs to learn! - Like maybe an associated press lesson. If the newspaper were to find out that a bank was vulnerable - Wow, they would eat that up, besides the problem I am sure would get fixed. Any thoughts? You can see the findings and the article at: http://www.sec33.com/archives/2001/internet_baking/banking_does_it_belong_on line.html Kelvin.
Current thread:
- Internet Bank Vulnerable! Kelvin (Jun 24)
- Re: Internet Bank Vulnerable! H D Moore (Jun 24)
- Re: Internet Bank Vulnerable! Curt Wilson (Jun 25)
- Re: Internet Bank Vulnerable! Kelvin (Jun 25)
- Re: Internet Bank Vulnerable! Curt Wilson (Jun 25)
- RE: Internet Bank Vulnerable! Kevin Timm (Jun 26)
- <Possible follow-ups>
- RE: Internet Bank Vulnerable! Thomas Ray (Jun 26)
- Re: Internet Bank Vulnerable! H D Moore (Jun 24)