Bugtraq mailing list archives
RE: Charter One Bank privacy/security hole
From: "Dustin Miller" <dustin () fusewerx com>
Date: Mon, 19 Nov 2001 02:00:28 -0600
A follow up: After having their online banking site down "for routine maintenance", Charter One Bank has fixed the loophole described below. Dustin Miller, President FuseWerx LTD Purveyors of Technological Magic http://www.fusewerx.com -----Original Message----- From: Dustin Miller [mailto:dustin () fusewerx com] Sent: Tuesday, November 13, 2001 7:17 PM To: bugtraq () securityfocus com Subject: Charter One Bank privacy/security hole I recently e-mailed Charter One to notify them of this security loophole. Their response was just plain ignorant, telling me there is no security problem when there is clearly a gaping one. This affects ALL Charter One online banking customers who sign up for additional deposit/savings accounts from the Charter One online banking site. When logged in to the Charter One online banking site, one of the menu options (New Accounts) allows you to apply online for Deposit Accounts or Consumer Loans. Selecting either of those options brings up a page prompting you to "click the 'Submit' button below". Clicking that button submits a form with hidden form fields containing the customer's name, address, phone number, zip code, and social security number. That, in and of itself, is a bit unusual. The bad part is this: It submits it to an insecure form, allowing anyone sniffing that connection access to all the information they need to steal the customer's identity. Here's a snippet of the offending code (identifying info ***'d out) <form name="confirmGo" method="post" action="http://www.charterone.com/pf/brokat_deposit.asp"; /> <input type="hidden" name="URLRETURN" value="https://www.totallyfreebanking.com/deposit_accounts.jsp"; /> <input type="hidden" name="SOURCEURL" value="https://www.totallyfreebanking.com/deposit_accounts.jsp"; /> <input value="*********" name="TAXID" type="hidden"> <input value="DUSTIN" name="NAME" type="hidden"> <input value="MILLER" name="NAME_2" type="hidden"> <input value="**********************" name="ADDRESS" type="hidden"> <input value="" name="ADDRESS_2" type="hidden"> <input value="*************" name="CITY" type="hidden"> <input value="**" name="STATE" type="hidden"> <input value="*****-****" name="ZIP" type="hidden"> <input value="**********" name="HOME_PHONE" type="hidden"> <input value="dustin () fusewerx com" name="EMAIL" type="hidden"> ----- Dustin Miller, President FuseWerx LTD Purveyors of Technological Magic http://www.fusewerx.com
Current thread:
- Charter One Bank privacy/security hole Dustin Miller (Nov 15)
- RE: Charter One Bank privacy/security hole Dustin Miller (Nov 19)