[17360] in bugtraq
Bank One Online puts bank card numbers at risk of exposure
daemon@ATHENA.MIT.EDU (C Matthew Curtin)
Thu Oct 26 13:55:34 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <14839.35499.94411.508658@animal.interhack.net>
Date: Wed, 25 Oct 2000 21:36:43 -0400
Reply-To: C Matthew Curtin <cmcurtin@INTERHACK.NET>
From: C Matthew Curtin <cmcurtin@INTERHACK.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Bank One Online (www.bankoneonline.com) stores customer account
information -- specifically, credit and/or debit card numbers -- in
insecure cookies. There are several problems:
o Although the cookie is sent from the server to the browser in an
encrypted channel, the flag used to prevent the browser from
sending the cookie back in cleartext is not set. Thus, it is
possible that the browser could send the bank card number across
the Internet in the clear.
o The bank card number is stored "in the clear" on the local disk.
Thus, people with access to read the cookies file will be able to
read the bank card number. This is a larger threat in networked
computing environments, particularly where the user's cookies
aren't saved on the local disk, but on a centralized network
server. These files are not always properly protected to prevent
others from reading them.
o Another risk that comes from putting the bank card number in a
cleartext cookie is that it can be read by someone on the local
network with a packet sniffer if the cookies are saved on a network
server.
o Finally, there are bugs in some browsers that make it possible for
a malicious web site to have the user's cookies uploaded without
approval. Such a site would be able to collect the bank card
numbers of Bank One Online users. Although patches have been
released, not everyone is running the latest patch level of the
browser, and this clearly demonstrates that such bugs are
possible and such mistakes could be made again.
We have detailed the problem and outlined a solution in our report
"Bank One Online Puts Customer Account Information at Risk."
Some common questions and their answers are available at
http://www.interhack.net/news/bankone.20001025.html.
The full report is available at
http://www.interhack.net/pubs/bankone-online/.
Compute safely.
--
Matt Curtin, Founder Interhack Corporation http://www.interhack.net/
"Building the Internet, Securely." research | development | consulting
