Bugtraq mailing list archives

Re: Capital One's website inadvertently assists phishing

From: Joseph Barillari <bugtraq () barillari org>
Date: Tue, 19 Apr 2005 19:12:09 -0400

On Tue, Apr 19, 2005 at 05:30:28PM -0500, dramatools wrote:

However, I clicked your "proof of concept" link and found that the
redirector did not send me to Wikipedia as expected, but Capital One's
home page.  Perhaps one of their security people is lurking on bugtraq
and attempted to fix the problem on the spot.  I'll keep monitoring this
one.


Looks like full disclosure worked. Thanks!

http://barillari.org/blog/computers/internet/conephishing-updated.html 

Timeline (should be mostly complete):

|13 Apr 01:28:45 -0400|Phishing email exploiting unchecked redirect arrives|
|13 Apr 01:54:51 -0400|Emailed webinfo () capitalone com to report it|
|13 Apr 01:53:00 -0400|Blog post "posted":http://barillari.org/blog/computers/internet/conephishing.html|
|13 Apr 16:29:45 -0400|Inform Capital One of my intention to post to "bugtraq":http://securityfocus.org/archive/1 in 24 
hours|
|13 Apr 16:31:11 -0400|Capital One form letter arrives:  "this [phishing] email has not compromised Capital One's 
systems in any way,"|
|13 Apr 16:44:42 -0400|Reply to Capital One form letter: "this email _has_ taken advantage of a compromised Capital One 
system: Capital One's website redirects URLs without checking them....please see the note about bugtraq below"|
|13 Apr 16:47:15 -0400|Another form letter: "A Capital One representative will respond to your e-mail inquiry, usually 
within 24 - 48 hours. Please note, due to high email volumes, this timeframe may be extended to up to 72 hours". I 
wonder if saying "bugtraq" provokes this response.|
|19 Apr 16:32:15 -0400|Four business days later (well beyond 72h), redirect is still unchecked. 
"Post":http://www.securityfocus.com/archive/1/396255 bug to bugtraq and cc Capital One|
|19 Apr 16:53:46 -0400|Reply to Capital One (signed by a human?) form letter:  "the point is that the phishing email 
_has_ exploited a flaw in Capital One's systems. Your website permits unchecked redirects. This makes a phisher's job 
much, much easier.|
|19 Apr 18:01:00 -0400|A bugtraq subscriber tells me that he's emailed abuse () capitalone com (I should have thought 
of that)|
|19 Apr 14:27:05 -0800|<b>Another bugtraq subscriber tells me that it's fixed.</b> Checked myself --- apparently, it 
is.|
|19 Apr 18:55:38 -0400|Send email to webinfo@, thanking them for fixing the unchecked redirect.|

Current thread:

Capital One's website inadvertently assists phishing Joseph Barillari (Apr 19)
- Message not available
  - Re: Capital One's website inadvertently assists phishing Joseph Barillari (Apr 20)
- Re: Capital One's website inadvertently assists phishing Allen Parker (Apr 20)
- <Possible follow-ups>
- RE: Capital One's website inadvertently assists phishing Rager, Anton (Anton) (Apr 28)