Re: Wachovia Bank website sends confidential information

[Alexander Sotirov <asotirov () determina com>]

Jim Popovitch wrote:
> 7 days?   "industry practice"?   Come on Bob I know you know that large
> corporations can't feed a cat in 7 days let alone make unscheduled
> website changes that fast.  Change control approvals alone would include
> 14 or more days in most enterprises.   Why the rush to "say so"?

Why should a security researcher waste their time with a vendor who can't even
acknowledge the receipt of a security notification in 7 days? Even the OIS
guidelines (which are pretty heavily vendor biased) suggest that vendors should
respond to notifications no later than 7 days (3 days if the researchers asks
for receipt confirmation)

If Wachovia had responded with a receipt confirmation on the same day, and
followed up in a few days with the results of an initial analysis and perhaps a
case number from their bug tracking system, things might have been different.

By the way, the privacy page is not the biggest issue on Wachovia's web site. On
http://www.wachovia.com/ they have a online banking login form. The username and
password are submitted to a HTTPS url, but the form itself is not protected.
It's trivial to MITM the HTTP site and capture the data from the login form
before it is submitted (or redirect it to a server of your choice). Of course
they show a nice padlock image next to the login form, so it must be safe!

It appears that MITM is just not part of Wachovia's threat model.

Alex

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/