[NEWS] Citibank (Canada) Internet Explorer Miss-configuration

From: support@securiteam.com
Date: 01/01/03

  • Next message: support@securiteam.com: "[NT] GuildFTPd Remote DoS (LPT1)" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 1 Jan 2003 10:21:35 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Citibank (Canada) Internet Explorer Miss-configuration
    ------------------------------------------------------------------------

    SUMMARY

    A problem in the way Citibank allows interaction with their login page,
    causes a user to unwilling save the username and password he used locally.
    This means any user with access to the computer, to logon to the local
    system to impersonate the user without needing to know his password.

    DETAILS

    There is a small silly hitch with Citibank Canada's secured sign in to
    online banking:
     <https://citibankcanada.ebilling.com/index.jhtml>
    https://citibankcanada.ebilling.com/index.jhtml

    Specifically AUTOCOMPLETE="off" in the forms. It is not set.

    While much explanation is made about SSL connections and fancy digital
    certificates, the simplest of web programming errors make these all
    worthless security mechanisms.

    Citibank Canada's login allows for the Microsoft Internet Explorer
    autocomplete feature to function. What that does is remember your name and
    password. So on a public or even private machine, all one needs to do is,
    double click the "name" form and the password will automatically
    autocomplete [fill in].

    Cursory examination of the CITIBANK USA confirms that it is disabled:
    <form name=signon
        
    action='https://web.da-us.citibank.com/cgi-bin/citifi/scripts/login2/login.jsp'
        method='post' onsubmit='return onSubmit(signon);' AUTOCOMPLETE="off">
    <input type=hidden name="flow" value="login1">
    <input type=hidden name="remember" value="Y">
    <input type=hidden name="next_page" value="">

    There might be other Citibank sign-in's though, including international
    branches.

    Workaround:
    It is critical to ensure when traveling to clear all forms when using
    public machines [internet cafe, business center etc.]. That would be:
    TOOLS - INTERNET OPTIONS - CONTENT - AUTOCOMPLETE: "CLEAR FORMS" & "CLEAR
    PASSWORDS". Not to mention shared private machines.

    ADDITIONAL INFORMATION

    The information has been provided by Anonymous.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages