Re: Bank of America Online Banking Security

From: Eric N. Valor (ericv@scruznet.com)
Date: 09/14/01


Message-Id: <4.3.2.7.2.20010914124053.03539080@mail.scruznet.com>
Date: Fri, 14 Sep 2001 12:57:54 -0700
To: bugtraq@securityfocus.com
From: "Eric N. Valor" <ericv@scruznet.com>
Subject: Re: Bank of America Online Banking Security


The other solution to this problem is more of a social-engineering
workaround. Whenever I use an online banking session, after logging out of
the session I always scrub both the memory and disk caches of my browser
immediately after leaving the secure area.

>Date: 14 Sep 2001 05:03:10 -0000
>From: Brad Will <duke33@yahoo.com>
>To: bugtraq@securityfocus.com
>Subject: Bank of America Online Banking Security
>
>TOPIC: Bank Of America Online Banking Website
>Vulnerable to Reauthentication of Logged Out
>Sessions
>
>DATE: 9-13-2001
>FOUND BY: Brad Will
>STATUS: Bank of America's Customer Service and
>Technical Support were notified in 8/1/2001. Both
>replied with canned "this will be forwarded to the
>appropriate parties" responses.
>
>DESCRIPTION: Users of the Bank of America Online
>Banking website are vulnerable to a basic web
>security hole. After logging the current session out, a
>user can back up to a cached page
>(https://onlineid.bankofamerica.com/cgi-
>bin/sso.login.controller) in their browser's history.
>(This is most easily reproduced in Netscape. In
>MSIE, the user will more than likely be automatically
>redirected to another page.)
>Once on this page, the user can press the "refresh"
>button in their browser. This will repost the login
>credentials from the previous login, creating a new
>session, and logging the user in to the site.

--
Eric N. Valor
ericv@scruznet.com
Webmeister/Inetservices
Lutris Technologies
eric@lutris.com

- This Space Intentionally Left Blank -



Relevant Pages

  • Bank of America Online Banking Security
    ... Bank of America Online Banking Security ... session, and logging the user in to the site. ...
    (Bugtraq)
  • Re: [PHP] session issues for unauthorized access?
    ... Sure the bank can prevent it or otherwise my bank would never use the ... >> Is there a really good way to use PHP Session to tell whenether the ... >> browser to another). ...
    (php.general)
  • Re: Count visitors on my website
    ... that you can tally "current viewers". ... The viewer is the session for crying out loud. ... the server applying an arbitrary timeout, ... I suppose a bank can estimate how big to build its lobby by noting ...
    (comp.lang.php)
  • RE: [PHP] session issues for unauthorized access?
    ... [PHP] session issues for unauthorized access? ... Sure the bank can prevent it or otherwise my bank would never use the ... >> browser to another). ...
    (php.general)
  • Re: How PHP Session ID is proved to be unique?
    ... it is not a problem of easy or difficult, but a chance ... ... consider you put money in bank and if other might take your session, ... or we need to find a better method to assign the session id, ... A typical sessionid consists of 31 or so characters, ...
    (comp.lang.php)