|
|
|
Flaw Leaves Online Citibank Customers Vulnerable
By: Dennis Fisher
2002-01-08
Article Rating: / 0
There are 0 user comments on this Network Security & Hardware story.
A security vulnerability in an online payment site run by Citibank may be leaving sensitive customer data exposed and leaving the door wide open for crackers.A security vulnerability in an online payment site run by Citibank may be leaving sensitive customer data exposed and leaving the door wide open for crackers.
The flaw in Citibanks c2it.com site enables any logged-in user of the site to access other users accounts and transfer cash, view credit-card and bank data, and even cover his tracks when hes finished.
The vulnerability, known as cross-site scripting, is a common one and has been well-publicized for nearly two years. It involves a flaw in the way dynamically generated Web pages are created that enables an attacker to enter malicious code into form fields and retrieve data from remote Web servers.
The c2it vulnerability was discovered by Dave deVitry, a security researcher who focuses on cross-site scripting problems. He first notified Citibank of the problem in September and published an advisory about C2it to the Bugtraq mailing list Monday.
He said the flaw is relatively simple to exploit—and simpler to fix.
"Its easy to exploit from a technology perspective," deVitry said. "One only really needs to know Javascript. To pull off a heist seamlessly, youd have to have [a secure Web server] somewhere, but still, [its] easy."
In a longer version of the advisory that is posted on his Web site, deVitry cites two separate attacks that are possible and provides sample scripts for accomplishing them. He also describes how an attacker could potentially mask his actions on c2it by corrupting the sites transaction history page.
C2it enables users to send electronic payments via accounts that are attached to a credit card or bank account. Its privacy policy has a long section concerning the sites security and the measures taken to prevent compromises of customer data.
"Security and privacy are the pillars upon which c2it service was built, and we are proud of the innovations we have made to protect members data and personal identities throughout every component of the c2it service," the statement reads in part.
deVitry recommends that Citibank shut down c2it.com until the issue is fixed and warns users to steer clear of the service until the vulnerability is remedied.
He also said that although Citibank on Tuesday implemented a partial fix for the problem, the companys slow response to such a serious issue is troubling.
"What Im most surprised at is their lack of an aggressive fix for this," deVitry said. "Of course, they never should have had these holes in the first place. If they missed this simple security hole, imagine what else they could have missed."
Attempts to reach Citigroup Inc.s Citibank unit for comment were unsuccessful.
|
|
�������x}r8s;�iW1E%UȖ\֔my,Uyb#� IlS$ROˉ�.K眮n�A$DސH$~ ooOD�0 pE1>=zg{HRso���M#6rJ��9AF#:,t�}w5�k9�9�rM���z=�>��;|�/s=NN5��%SjNACm3g�{zc_6gڄ2z9o2�f��E63F��6I���E�9�J��~;�K���Qow,8"���;|7* pfL&;�=a�>$B�k4ً�(qGws_�ad�y4*;U;a-�r[h*v�_e�ۭBul�v�i!hrs�!�g�ͻ�H͠L$Gd jI:��`iT11܋�Hчx�ހ]ݱ��&R,RE͌iAw4Ԭ�kS��cG
7�GCL�H��<~0[��QM9$�7�V�\jRNX0'C8:)X ۱2˭�#]6e5�^G~;m�g�E5�GlR"
=�y74Ja�-�;���L=:n/�yÙF-S4uHUZ+�R^(Տ}
L{DUyݙ�_煊B=ʑ�GA
Gf�nG�p[N�^ԢZ\�}G��r ]���Nֶ��w j�DTV*bh$"���P}jCG'$�@B�>o�VWB-R�#X@r�Ija�>E�4fEQ
u$nxЖL-AA9EX&�R*C�A-t1㝩S9m<]rt/۽>9]vsGR=Bg#j�`Bm�iq}¿�y�['^=z��,rG=����j�iT뒒{Sw2r!�j]}:>$7�Yn��gs�`lDiYܹ̑\yǛȃk�R(�y#0ri���4(�-ߖAf�w[ ���a7tBmҔj�
�)B���ܼkN��$9�ȡ��ȟ恒k4�R\� 9lb���vf�y�P:�?o�dB*�b�$r�ݢQ3^}N�}�$y3DD�ȝ g��/3�E94>BBp4k4N<
Y�C!ʠ��ڴb{\gfS�4!�E�&-`;^h>[ <[
K�PA}x�3껍Z��=H�}m�`�9�5$&CMߟ����s#09w��ښA�<�QБ4|a�
h�p.pp�yY?90�@]q�ksB�7}��͜�4F�&��QcSBԆ!~9.b�&O^"��{bA2� E�EK�i�@(� $h�5a��r����/l�ޑ�vR.%rP�nO�q$;�g%scMX.QY,�p[/ �Pf%)5{~u}bB�+|#'"�Xr`Y
�\h+i)yBOM\n�aDP$w:O̗�HږiE-�o2߄V�)9vC�\D ry͚X� 4ؐ�|ƓBn�?oWu�r@�H#od��m_²xcP66R(k��5Ӳ�=2P"
Cx�EO=iM!
cc�9�}sö��*��Pϖ?>2ai;ZY-Xj|-[�Y`B�^�eܠ)�fH� ~c�&�ʥ
ë�;q\�c�zڽu@nZtq۱O@>`�ǟG(a!��w1��JkX�$
U)=̔:Y[����^�|��@'��K |o2tJ.��k1sM^^��W�꺰']�|z� P[a�z{�>8`�Tf�la86-�b�?x;وy���EEQH~�2��;2.eX PY5mI�r�'j3��\�}ZJ\<��8�9�7!�Qo=�>
�U�4� ıLb0qqغ7,� 2q͝a&�?@�&R)Ö13gdimF�ǙXT&jA�bPI}&Xk5�F�><}*O|qNx@�� �E�.҈��ڀ���D(r�HU�X�#±U�鬢cKQ0SKm{hA��y-X\>(D�~?DBS}O=ܴ>?CU^f���"jXUclx�cC(JzTR*7+�{}|s??=e�hČR�8tc}y
_[�QݩfChߋ_
!v8c0�SMwK\i�>�#\\V`Qa�SF=4F�X\odH�$#c^(gF(k1��.
(�H3�0=�Gf^9/&?!'j7�p�e�??#ylR)btxLǖ8)ё,H���r*-ÏR�vU�#���tT#��� ����7)�X�]Q�iRZiS���9]RӲ�˧Z�ӁQ}/5u<|X\.�(``!>v#�3�Ho�a7X[�RkE}v��{/J.8F��2<"#��8��fS>�dZ{PDK!nΚ6�� s7}&�no^{y��˙�yrzg�n2E8z0J�d�o퀁șY%7Gj3m9�7a~����y�-0�>�[�Fb&�T~��\yY�R�glס3i21V/ c�
׃nc>۹+a��mo|m�,Mn1y�c�%[Ŵw)n<0{�L3gF�>
i�oUr�d2y6(Z�`E'8wD1$5�,1{o$
z9pY(�*"5@Z �i3Ɂ㚺/ksO3q:F?�0jiH3kT�r�HU�m{\ c�w�=�UL.]�oq�TYe) �k@q54OxZT+EZy��,�jJH�B D�5|dEO��C/
ސOkZDC~g�$}� W>V�K K�}b*ŪR.$�y�Vp8.�7xџ1XD+�++0�/�7"h ޜ-�c�r�[
e|R/fK�%�2��_vFܖ�[J,]��a
ha�L%Q;o]n@�h semn-`I3I)�`�{IO4c
��Cf"SkZ�%$< 7�C�d',-�LGI4~�:&.2O�%皽1D=
��⿂OnΏ{ܝ9Ԍ!��F4HΝJIUK U`jZ�'0��0
�ƈk���S@J7|@t�ɒ\�'
*BX]q,g(��X9H(P Yz>�ɷw��f/lCXx|{
`?K�{e$ $"z��дr3.=2��fxX�7&# 9914/xqi`�zM��%&BP`��&w,�ɪO@T�#N�Ew%]�7�UO}ڻ�HC6V"�#�&@v�\%0Ӑ �q�0螴CE HY�)o9�y�B>@lb%&hҫ&BR�
0><�@�s`�¼*,�S^Jl7`�ҵeNx�?IАݙ�-p溟9!M[_Fa's
]s�OI}i^wl'LUFxZ
P>?G$c:�I"�I^QԼګȊ̙S.r!��F�tZx@2��M�3}ݹ��Jf�z��Ӽ2iAxnl��Oo�C\�pb_�#x �y~cq�.�~�(�;_aO�,J麇9����]MZ^⽸�|>W90.5�=y$/A�v} ,D>?GkoD:*p&��n`��\`XE$bN
]h-Q1
��0ᐴ��M4[$j gx�OYQ�v�g�E�K`;.0BM�=6BM-%1t8l(xuwor=x_ߓ�,X)>�`D�2{:��dn���!!<>Eh�
V˿DPt5��H,��=*�cp5|j8,��&WZOIyg�@ck QOb�sB߳P�h�32Pq�<`9�_�F,H��kC6#CvG!a}�rKL[
i㮴Xu_d[T%L}IU+ZE�;Dx�,ZL�,"`Sq֓0XKL@�=�̻$N�#�6�zc5�ظ��$E9��:�TB.%JJ!ga o|^]d@|s-ǃs�$ nyI#�SKbP^"!~���O"$�OB$��(Ja7S���ԋb*D�|RGPhq[
->;��>6�_紵E4�LJՊR23F`�{
&��I
"g@R/IgʈtSgdߗTaE!F�}ʤA��@��<"�"AEJ"Ȋ;\U�OԦfZt��6߇�6Mr"׃4Ǔ� ���< �&RU�c1�YO@D w�bOUʳ5@JϗtcK{�s1Ij]�tp�-3|jb>O,�;@͚IH ;�;W]*miV'[xX �&:j#4�ڈ2��S4��Ym�I=N럾nZk)�q#����i"0��a�qZ�c-�m}�̅H{6d5�ҖlNt;�DAm�z^��VO�+]y.
�o^�Rj=UگG=�
�l5/nI�tȡmQz`vh=h4�Q�pRI7�&����U��$� ���aR���x�"%%���$Q}~E#J%!Ũ[%%T^4/d᭻R &w�z٭�0~�Ϸgs� 9"_w>w;7R�mSX)�阂5E=v��LfДB wX?JzZ0C[ ��H��H�cW�^�g��M瀲%%>ꄭ�1*.�M1]8ЮNHXe6au6>^Y��;�#mn&_�Ig���{]ޘ�xQR��n�^ׅL\]e��?b�~O���@��
6Z1֕@�燭|g{�lz:vO�ޜ�5_X�" &y��LZ���(\��}gz2"B�l;/~o/J�ѺōCR䣻
}i�!���8G�Bx}ReGvm|yw ����Ϥ�S��x�%�f�� ,]@Ѹ�,��H�ύv� |o' ^=�8 ��� Fsei>��h�Lyx\�em2 f6�/+c�o3>�n[Aͽ=V�4d
n:ư>�/n40�usm56,љsGW2*ei@�jf}5�;`ϴ
X�c�~��2oO�@85�QY'6$�[IHc�s;WPGX1̭-�ȡdnԉ�Vj�pu)Nf|py0KǠ�Ktx�;4n�!oq\,R�c-έ �/WiYd=I��I3mq��)Zaz8S[�~�xz1<_O1U&{�� �4�
ߛGxI~{QYcT<X ��E6
I3�6{�-�>1_)CSx(Ұ68.
2ä="L�G4�RT4�Mt?/w[{)ω�T9 ?�KL)`G!�d'?3��~�R͏L:�����"��ӛ�<��5�r�`�x��w�(='VKJA�k)G>?�F7��U6^�o�]IB7o|�7q�Hj*VM�,9�-�>dS�]�
ˠ_Y?�f^ǽ��'(Usq�"9m�2}SK]YL�a�
CZ(�M#�=%1�2{=#N!ɃKOk&`;�zZCvn&r$m']қݛS&!HsWJ"^tE�:r�Th
�z�Kx��cKݮ$��c��ɡ[+Ʌ)�wR
��?3')3ʭ�nF8[R$2myy|Xx7<�Z`���5rs̳yaNz`[g`z%ErN �%�C c�ʄ�:{ћbR=P�Ws�
?<<|6�ڄy��i$�Y0K9��7Fd.$<~Up��S�;BΐŪ!D̅tz['u}�H?Km1-揖+62s�����f�/�ut:��Zsrٹw�u�=<�2��嵉Dp@0`�z3M\/�X��h��coGs�oFe蘱�?� !'@vѻ�t�=Tr*�?E�r6Б`5 r��~^`פ �'0�枩ՀM1,+)�k�M(q�ik8<7>|>_iN0%�
aA���r���kEsfvR,��)���V7L[L#&|-�qx2̂R[�i�bl��Uo%P`�qT|8snj=J<�|�>h~b寀�ݙut]\��P�"@J��>Q�iA=`Aa~N#[C1P?RF�h_��fF���\m�<7 %�fQи/nF`@f&t,yǥ}-AGjp ��H�PgA~f\b�@Ԕ0��%(J�IB�q�XR~DB(6s�
q{rneG'\虞G�ȉ�+ݩ2K!0��
Ka1c�~PBM�Ф�P:#${(J{wy
}A�ݬ(d/c�/ZiB�R,
��?h$5GP�dQLz@|
LBz،Pf�r5[WW_iuC'ݫAwI;�<�m[8Z?N9v/;WAyjz10Kym21^�
ΓQ�9l]t283E BWh,Y384dG�1�4�ydx����lyї�U�1zű2�Pl��<�v؊r
/�gg:^�_M8FyS�sp���[dYA5rU>{0�8���S~s2 N�ԼVxu�xQ�?f�P~�(Ay/�)}
8hw2Ods)4�?��2�\~5Ϻ˻\(u3eF9\c?�\~�3_��s���Ȃ��"�?�0_�}^d�E�}"^f3(?A2/"�2c~/.3�2cz^F{ z��!_>2
_eԿ�Π>1>1� �l.�)>Cr�}�}
d�d
M�%u$e!(oeY
�NOo\�8�\8^��YOY射<(Cy<�<^`ek�W�x�sͿg�g{�%;[?[_W'vr]!,.%P�Wg^vfim4�viAư;/6�^c/UZ%/ވM,��A)Q.�
3l?V\[[,Oн�ۺ{�ϊ'NW4C�ﹲ�Kd^ Wsr>VD=՞bM�xG,E<�mc�sb��Ⱦi�1[�QGl`g]#=D~Mb9wW/3iK�Јw�3+ʔ�=��}��nC�7�}f©�n��_q�L
~iMnڧZ�v��<2kSյ/〚kp'k͠6K]abkL^�x*8��]�v5$$�}9= �zH}`o=S%�ntAe v"ѱm4!,5?hW, {+|#e� VI�Wd�ԢԱ"tH߱�=u7� ,�?h�PMP"�qm$!1qp�S$�^.X]�X^�ǁדc�Y{6DOn�
fiy]�� ,pd+:�Oe��;8`�U8K\UÖ9"[�o
%���@A�$t{�Xa+Nvޒ{־(� ;C���A{ٺ*ع�Ә1L1А8v2COA3t
ϭk�e[a ��O2�CZ24@��خ;O�q^G��3>Ƌ�rx{GoG۹1�1$(+nOvG�D
'>��6'كl4hM@��(Dْ�0�F-�>D/7agLJ��B Oɮx*hl'`��wDl�.3��*/YE
hWa)*e76K((Xp^GA6tǿ;�ƝMQK-�9���,BM:5y@t�z-�E
�p�eӵx�2
��W�c�/JbA,\�n2?>�i3$ @ }( oF8��,c�
0,:0��8utvKѺ
N�7"� a�^n1n-/ـ9&@���/A� wVǰ�-XF!Ƨۅ�7�'T�S*�4.v>ϝ/���xDh^N�wL_txnU%ӫrX�{{ej�
x�ٚջ�U$b�C}�Ay4O>jA@�`�V\3|f7tZ�Ю�sq7M�Sg�a+cPXjcL1GY{&�
LW{څG��Q�y6;|���,�݈bV��"NdrI)�9=O9*�R"L0M؏��Är"5poq#ye��טH��pK�g8
g!0X^�XpTT��/D4;N7�9�Ӟ�_yfϸȅ�^`\YGl
�+n:�'�ygb9�~g!ˁtں9!3��*`gGq~k'|�vQ��Je]E�yiAђ�4��!wj�/e={`o��s�g�|�oU��AtM��z'14mEg,(3l�W'BVR۽w�ߺ"f/F ۲M�)
i2�9Z{) 1RM�j39Q��2kG�sk&|Ʒ�R2ұeRZ`l/Z6?j?@"��
|
Network Security & Hardware 
