CITIBANK [CANADA]: INTERNET EXPLORER BROWSERS

From: http-equiv@excite.com
Date: 12/29/02

• Previous message: NTBUGTRAQ: "Database, and request a keyset or dynamic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date:         Sun, 29 Dec 2002 21:37:50 -0000
From: "http-equiv@excite.com" <http-equiv@MALWARE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Sunday, December 29, 2002

There is a small silly hitch with CITIBANK CANADA's secured sign in
to online banking:

https://citibankcanada.ebilling.com/index.jhtml

Specifically AUTOCOMPLETE="off" in the forms. It is not set.

While much explanation is made about SSL connections and fancy
digital certificates, the simplest of web programming errors
Thwarte ! all that:

CITIBANK CANADA's login allows for the Microsoft Internet Explorer
autocomplete feature to function. What that does is remember your
name and password. So on a public or even private machine, all one
needs to do is, double click the "name" form and the password will
automicrosoftly autocomplete [fill in].

Cursory examination of the CITIBANK USA confirms that it is disabled:

<form name=signon
    action='https://web.da-us.citibank.com/cgi-
bin/citifi/scripts/login2/login.jsp'
    method='post' onsubmit='return onSubmit(signon);'
AUTOCOMPLETE="off">
<input type=hidden name="flow" value="login1">
<input type=hidden name="remember" value="Y">
<input type=hidden name="next_page" value="">

There might be other CITIBANK sign in's though, including
international branches.

Notes: critical to ensure when travelling to clear all forms when
using public machines [internet cafe, business center etc.]. That
would be: TOOLS - INTERNET OPTIONS - CONTENT - AUTOCOMPLETE: "CLEAR
FORMS" & "CLEAR PASSWORDS". Not to mention shared private machines.

End Call

--
http://www.malware.com
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Prometric - More than testing, learning.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
http://www.prometric.com
Prometric, part of The Thomson Corporation, is the leader in
technology-enabled testing and assessment services for information
technology certification, academic admissions, professional licensure and
certifications, computer-based driver's licensing, and corporate testing.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

---

• Previous message: NTBUGTRAQ: "Database, and request a keyset or dynamic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages CITIBANK [CANADA]: INTERNET EXPLORER BROWSERS ... CITIBANK CANADA's login allows for the Microsoft Internet Explorer ... So on a public or even private machine, ... using public machines ... (Bugtraq) RE: [Full-Disclosure] Fw: Citibank reminder: please update your data ... This and other similar ones have been flooding it's way across the internet ... that one I have received in most of my email accounts ... a quick browse of the Citibank site and speaking to a couple of friends who ... (Full-Disclosure)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > NT-Bugtraq  > 2002-12