Re: Bank of America Online Banking Security

From: Eric N. Valor (ericv@scruznet.com)
Date: 09/14/01

• Previous message: Matthew Reams: "RE: Security Vulnerability with Microsoft Index Server 2.0(Sample file reveals file info, physical path etc)"
• Maybe in reply to: Brad Will: "Bank of America Online Banking Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Message-Id: <4.3.2.7.2.20010914124053.03539080@mail.scruznet.com>
Date: Fri, 14 Sep 2001 12:57:54 -0700
To: bugtraq@securityfocus.com
From: "Eric N. Valor" <ericv@scruznet.com>
Subject: Re: Bank of America Online Banking Security

The other solution to this problem is more of a social-engineering
workaround. Whenever I use an online banking session, after logging out of
the session I always scrub both the memory and disk caches of my browser
immediately after leaving the secure area.

>Date: 14 Sep 2001 05:03:10 -0000
>From: Brad Will <duke33@yahoo.com>
>To: bugtraq@securityfocus.com
>Subject: Bank of America Online Banking Security
>
>TOPIC: Bank Of America Online Banking Website
>Vulnerable to Reauthentication of Logged Out
>Sessions
>
>DATE: 9-13-2001
>FOUND BY: Brad Will
>STATUS: Bank of America's Customer Service and
>Technical Support were notified in 8/1/2001. Both
>replied with canned "this will be forwarded to the
>appropriate parties" responses.
>
>DESCRIPTION: Users of the Bank of America Online
>Banking website are vulnerable to a basic web
>security hole. After logging the current session out, a
>user can back up to a cached page
>(https://onlineid.bankofamerica.com/cgi-
>bin/sso.login.controller) in their browser's history.
>(This is most easily reproduced in Netscape. In
>MSIE, the user will more than likely be automatically
>redirected to another page.)
>Once on this page, the user can press the "refresh"
>button in their browser. This will repost the login
>credentials from the previous login, creating a new
>session, and logging the user in to the site.

--
Eric N. Valor
ericv@scruznet.com
Webmeister/Inetservices
Lutris Technologies
eric@lutris.com
- This Space Intentionally Left Blank -

---

• Previous message: Matthew Reams: "RE: Security Vulnerability with Microsoft Index Server 2.0(Sample file reveals file info, physical path etc)"
• Maybe in reply to: Brad Will: "Bank of America Online Banking Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Bank of America Online Banking Security ... Bank of America Online Banking Security ... session, and logging the user in to the site. ... (Bugtraq) Re: [PHP] session issues for unauthorized access? ... Sure the bank can prevent it or otherwise my bank would never use the ... >> Is there a really good way to use PHP Session to tell whenether the ... >> browser to another). ... (php.general) Re: Count visitors on my website ... that you can tally "current viewers". ... The viewer is the session for crying out loud. ... the server applying an arbitrary timeout, ... I suppose a bank can estimate how big to build its lobby by noting ... (comp.lang.php) RE: [PHP] session issues for unauthorized access? ... [PHP] session issues for unauthorized access? ... Sure the bank can prevent it or otherwise my bank would never use the ... >> browser to another). ... (php.general) Re: How PHP Session ID is proved to be unique? ... it is not a problem of easy or difficult, but a chance ... ... consider you put money in bank and if other might take your session, ... or we need to find a better method to assign the session id, ... A typical sessionid consists of 31 or so characters, ... (comp.lang.php)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > bugtraq  > 2001-09