C2IT.com Cross Site Scripting Vulnerability

[<security () devitry com>]

Summary
  CitiBank's online cash site, C2IT.com, has 
substantial vulnerabilities
  to Cross Site Scripting.  The site is similar to PayPal 
in that it 
  lets users attach Bank and Credit Card account to 
this online system. 
  Users can then "send" cash to any user via their 
email address.  

  The site leaves nearly every form field un-filtered.  
The site also
  displays credit card numbers, bank account 
numbers, security codes
  and other data with no obfuscation.  This info is then 
available to
  javascript through cross site scripting.   Citibank 
was notified 4
  months ago about problems with their sites and 
many times since, 
  however, no noticeable actions have been taken 
yet.  
  
  This alert documents two sample attacks:  
  -Gaining access to user's credit card and bank 
account numbers
  -Scripting cash transfers out of users accounts 
and/or credit cards

Details

  http://www.devitry.com/c2it-security.html

   I'm not posting the javascript examples here as 
many email servers now reject email with even the 
hint of javascript in them.  (Hmm, maybe that is a bad 
thing if someone is not actually getting what may be 
an important email?)  

 -dave 
  devitry.com