Re: Bank of America Online Banking Security

["Eric N. Valor" <ericv () scruznet com>]

The other solution to this problem is more of a social-engineering 
workaround.  Whenever I use an online banking session, after logging out of 
the session I always scrub both the memory and disk caches of my browser 
immediately after leaving the secure area.

> Date: 14 Sep 2001 05:03:10 -0000
> From: Brad Will <duke33 () yahoo com>
> To: bugtraq () securityfocus com
> Subject: Bank of America Online Banking Security
>
> TOPIC:  Bank Of America Online Banking Website
> Vulnerable to Reauthentication of Logged Out
> Sessions
>
> DATE:  9-13-2001
> FOUND BY: Brad Will
> STATUS: Bank of America's Customer Service and
> Technical Support were notified in 8/1/2001.  Both
> replied with canned "this will be forwarded to the
> appropriate parties" responses.
>
> DESCRIPTION: Users of the Bank of America Online
> Banking website are vulnerable to a basic web
> security hole.  After logging the current session out, a
> user can back up to a cached page
> (https://onlineid.bankofamerica.com/cgi-
> bin/sso.login.controller) in their browser's history.
> (This is most easily reproduced in Netscape.  In
> MSIE, the user will more than likely be automatically
> redirected to another page.)
> Once on this page, the user can press the "refresh"
> button in their browser.  This will repost the login
> credentials from the previous login, creating a new
> session, and logging the user in to the site.

--
Eric N. Valor
ericv () scruznet com
Webmeister/Inetservices
Lutris Technologies
eric () lutris com

- This Space Intentionally Left Blank -