Bugtraq mailing list archives
Re: Bank of America Online Banking Security
From: "Eric N. Valor" <ericv () scruznet com>
Date: Fri, 14 Sep 2001 12:57:54 -0700
The other solution to this problem is more of a social-engineering workaround. Whenever I use an online banking session, after logging out of the session I always scrub both the memory and disk caches of my browser immediately after leaving the secure area.
Date: 14 Sep 2001 05:03:10 -0000 From: Brad Will <duke33 () yahoo com> To: bugtraq () securityfocus com Subject: Bank of America Online Banking Security TOPIC: Bank Of America Online Banking Website Vulnerable to Reauthentication of Logged Out Sessions DATE: 9-13-2001 FOUND BY: Brad Will STATUS: Bank of America's Customer Service and Technical Support were notified in 8/1/2001. Both replied with canned "this will be forwarded to the appropriate parties" responses. DESCRIPTION: Users of the Bank of America Online Banking website are vulnerable to a basic web security hole. After logging the current session out, a user can back up to a cached page (https://onlineid.bankofamerica.com/cgi- bin/sso.login.controller) in their browser's history. (This is most easily reproduced in Netscape. In MSIE, the user will more than likely be automatically redirected to another page.) Once on this page, the user can press the "refresh" button in their browser. This will repost the login credentials from the previous login, creating a new session, and logging the user in to the site.
-- Eric N. Valor ericv () scruznet com Webmeister/Inetservices Lutris Technologies eric () lutris com - This Space Intentionally Left Blank -
Current thread:
- Bank of America Online Banking Security Brad Will (Sep 14)
- <Possible follow-ups>
- Re: Bank of America Online Banking Security Eric N. Valor (Sep 14)