Hundreds of banking Websites are still vulnerable to a patched vulnerability affecting certain versions of the RSA Adaptive Authentication platform.
RSA, EMC's security division, is advising customers to apply a
two-year-old patch for its Adaptive Authentication product after a
researcher discovered hundreds of banking Websites are still open to
RSA Adaptive Authentication is a risk-based fraud prevention and authentication platform that measures risk indicators to identify suspicious activities
According to RSA, versions 2.x and 5.7.x of the on-premise edition of
the product are vulnerable to cross-site scripting due to a Flash
Shockwave file provided by the Adaptive Authentication system.
The vulnerability in question
actually patched in 2008, but was brought back into focus recently when
Nir Goldshlager, a security consultant with Avnet Technologies,
discovered many online banking sites were still vulnerable to attack,
something he uncovered after searching for the affected filename
in Google. He reported his discovery to RSA in November.
Still, hundreds of sites remain vulnerable, he told eWEEK.
Among the banking sites
found to be impacted was the site belonging to the Bank of America, which has since patched the issue.
Bank of America spokesperson Tara Burke said the patch was deployed and has proven to be successful.
"We have no evidence that our customers were affected," she said,
adding the company takes all reports of security vulnerabilities
seriously and has a Zero Liability program
for customers if they are victimized.
An attacker can exploit this like any other reflected cross-site scripting attack, Goldshlager explained.
"To exploit this, the attacker needs to send the victim a link," he
said. "When the victim clicks the link, the attacker will be able to
steal the sessionid from the victim that logged in to the online
According to an advisory on the issue by Secunia, certain input
passed to the Shockwave file is not properly sanitized before
being returned to the user.
"This can be exploited to execute arbitrary HTML and script code in
a user's browser session in context of an affected site," according to
Secunia, which rated the vulnerability less than critical.
The vulnerability does not affect 6.x versions, RSA noted in its updated advisory
. The company urged customers who have not already deployed the patch to obtain it from RSA SecurCare Online.
"All RSA Adaptive Authentication customers deploy the solution
primarily for the risk-based authentication and transaction monitoring,
which makes it much more difficult to compromise an online bank
account," a RSA spokesperson told eWEEK.
"In the interest of protecting our customers, RSA cannot divulge the
names or number of customers impacted by this issue," the spokesperson
continued. "However, since we reissued the security advisory about this
patch to our customers, RSA has received numerous positive responses
from customers indicating they are taking action to ensure their RSA
Adaptive Authentication on-premise installations are updated."