A security vulnerability in an online payment site run by Citibank may be leaving sensitive customer data exposed and leaving the door wide open for crackers.
The flaw in Citibanks c2it.com site enables any logged-in user of the site to access other users accounts and transfer cash, view credit-card and bank data, and even cover his tracks when hes finished.
The vulnerability, known as cross-site scripting, is a common one and has been well-publicized for nearly two years. It involves a flaw in the way dynamically generated Web pages are created that enables an attacker to enter malicious code into form fields and retrieve data from remote Web servers.
The c2it vulnerability was discovered by Dave deVitry, a security researcher who focuses on cross-site scripting problems. He first notified Citibank of the problem in September and published an advisory about C2it to the Bugtraq mailing list Monday.
He said the flaw is relatively simple to exploit—and simpler to fix.
In a longer version of the advisory that is posted on his Web site, deVitry cites two separate attacks that are possible and provides sample scripts for accomplishing them. He also describes how an attacker could potentially mask his actions on c2it by corrupting the sites transaction history page.
"Security and privacy are the pillars upon which c2it service was built, and we are proud of the innovations we have made to protect members data and personal identities throughout every component of the c2it service," the statement reads in part.
deVitry recommends that Citibank shut down c2it.com until the issue is fixed and warns users to steer clear of the service until the vulnerability is remedied.
He also said that although Citibank on Tuesday implemented a partial fix for the problem, the companys slow response to such a serious issue is troubling.
"What Im most surprised at is their lack of an aggressive fix for this," deVitry said. "Of course, they never should have had these holes in the first place. If they missed this simple security hole, imagine what else they could have missed."
Attempts to reach Citigroup Inc.s Citibank unit for comment were unsuccessful.