Bugtraq mailing list archives
Re: Capital One's website inadvertently assists phishing
From: Joseph Barillari <bugtraq () barillari org>
Date: Tue, 19 Apr 2005 19:12:09 -0400
On Tue, Apr 19, 2005 at 05:30:28PM -0500, dramatools wrote:
However, I clicked your "proof of concept" link and found that the redirector did not send me to Wikipedia as expected, but Capital One's home page. Perhaps one of their security people is lurking on bugtraq and attempted to fix the problem on the spot. I'll keep monitoring this one.
Looks like full disclosure worked. Thanks! http://barillari.org/blog/computers/internet/conephishing-updated.html Timeline (should be mostly complete): |13 Apr 01:28:45 -0400|Phishing email exploiting unchecked redirect arrives| |13 Apr 01:54:51 -0400|Emailed webinfo () capitalone com to report it| |13 Apr 01:53:00 -0400|Blog post "posted":http://barillari.org/blog/computers/internet/conephishing.html| |13 Apr 16:29:45 -0400|Inform Capital One of my intention to post to "bugtraq":http://securityfocus.org/archive/1 in 24 hours| |13 Apr 16:31:11 -0400|Capital One form letter arrives: "this [phishing] email has not compromised Capital One's systems in any way,"| |13 Apr 16:44:42 -0400|Reply to Capital One form letter: "this email _has_ taken advantage of a compromised Capital One system: Capital One's website redirects URLs without checking them....please see the note about bugtraq below"| |13 Apr 16:47:15 -0400|Another form letter: "A Capital One representative will respond to your e-mail inquiry, usually within 24 - 48 hours. Please note, due to high email volumes, this timeframe may be extended to up to 72 hours". I wonder if saying "bugtraq" provokes this response.| |19 Apr 16:32:15 -0400|Four business days later (well beyond 72h), redirect is still unchecked. "Post":http://www.securityfocus.com/archive/1/396255 bug to bugtraq and cc Capital One| |19 Apr 16:53:46 -0400|Reply to Capital One (signed by a human?) form letter: "the point is that the phishing email _has_ exploited a flaw in Capital One's systems. Your website permits unchecked redirects. This makes a phisher's job much, much easier.| |19 Apr 18:01:00 -0400|A bugtraq subscriber tells me that he's emailed abuse () capitalone com (I should have thought of that)| |19 Apr 14:27:05 -0800|<b>Another bugtraq subscriber tells me that it's fixed.</b> Checked myself --- apparently, it is.| |19 Apr 18:55:38 -0400|Send email to webinfo@, thanking them for fixing the unchecked redirect.|
Current thread:
- Capital One's website inadvertently assists phishing Joseph Barillari (Apr 19)
- Message not available
- Re: Capital One's website inadvertently assists phishing Joseph Barillari (Apr 20)
- Message not available
- Re: Capital One's website inadvertently assists phishing Allen Parker (Apr 20)
- <Possible follow-ups>
- RE: Capital One's website inadvertently assists phishing Rager, Anton (Anton) (Apr 28)