Full Disclosure mailing list archives
Re: Wachovia Bank website sends confidential information
From: Alexander Sotirov <asotirov () determina com>
Date: Tue, 10 Jul 2007 23:34:23 -0700
Jim Popovitch wrote:
7 days? "industry practice"? Come on Bob I know you know that large corporations can't feed a cat in 7 days let alone make unscheduled website changes that fast. Change control approvals alone would include 14 or more days in most enterprises. Why the rush to "say so"?
Why should a security researcher waste their time with a vendor who can't even acknowledge the receipt of a security notification in 7 days? Even the OIS guidelines (which are pretty heavily vendor biased) suggest that vendors should respond to notifications no later than 7 days (3 days if the researchers asks for receipt confirmation) If Wachovia had responded with a receipt confirmation on the same day, and followed up in a few days with the results of an initial analysis and perhaps a case number from their bug tracking system, things might have been different. By the way, the privacy page is not the biggest issue on Wachovia's web site. On http://www.wachovia.com/ they have a online banking login form. The username and password are submitted to a HTTPS url, but the form itself is not protected. It's trivial to MITM the HTTP site and capture the data from the login form before it is submitted (or redirect it to a server of your choice). Of course they show a nice padlock image next to the login form, so it must be safe! It appears that MITM is just not part of Wachovia's threat model. Alex
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Wachovia Bank website sends confidential information, (continued)
- Re: Wachovia Bank website sends confidential information Jim Popovitch (Jul 10)
- Re: Wachovia Bank website sends confidential information Tremaine Lea (Jul 10)
- Re: Wachovia Bank website sends confidential information Valdis . Kletnieks (Jul 10)
- Re: Wachovia Bank website sends confidential information J. Oquendo (Jul 11)
- Re: Wachovia Bank website sends confidential information kazaam (Jul 11)
- Re: Wachovia Bank website sends confidential information Bob Bruen (Jul 11)
- Re: Wachovia Bank website sends confidential information J. Oquendo (Jul 11)
- Re: Wachovia Bank website sends confidential information Jim Popovitch (Jul 11)
- Re: Wachovia Bank website sends confidential information Bob Bruen (Jul 11)
- Re: Wachovia Bank website sends confidential information Security Guy (Jul 11)
- Re: Wachovia Bank website sends confidential information Jim Popovitch (Jul 10)
- Re: Wachovia Bank website sends confidential information Bob Toxen (Jul 11)
- Re: Wachovia Bank website sends confidential information Peter Dawson (Jul 11)