[22648] in bugtraq
Bank of America Online Banking Security
daemon@ATHENA.MIT.EDU (Brad Will)
Fri Sep 14 11:33:46 2001
Date: 14 Sep 2001 05:03:10 -0000
Message-ID: <20010914050310.1320.qmail@securityfocus.com>
From: Brad Will <duke33@yahoo.com>
To: bugtraq@securityfocus.com
TOPIC: Bank Of America Online Banking Website
Vulnerable to Reauthentication of Logged Out
Sessions
DATE: 9-13-2001
FOUND BY: Brad Will
STATUS: Bank of America's Customer Service and
Technical Support were notified in 8/1/2001. Both
replied with canned "this will be forwarded to the
appropriate parties" responses.
DESCRIPTION: Users of the Bank of America Online
Banking website are vulnerable to a basic web
security hole. After logging the current session out, a
user can back up to a cached page
(https://onlineid.bankofamerica.com/cgi-
bin/sso.login.controller) in their browser's history.
(This is most easily reproduced in Netscape. In
MSIE, the user will more than likely be automatically
redirected to another page.)
Once on this page, the user can press the "refresh"
button in their browser. This will repost the login
credentials from the previous login, creating a new
session, and logging the user in to the site.
FIX: There are numerous ways to solve this
problem. One common method is to insert a hidden
field containing a number into the HTML. Then, this
number is tied to a specific session. If the session
has already been logged out, when the form is
reposted, the hidden value will have already been
used, and access is not allowed.
