Re: Bank of America Online Banking Security

From: Eric N. Valor (
Date: 09/14/01

Message-Id: <>
Date: Fri, 14 Sep 2001 12:57:54 -0700
From: "Eric N. Valor" <>
Subject: Re: Bank of America Online Banking Security

The other solution to this problem is more of a social-engineering
workaround. Whenever I use an online banking session, after logging out of
the session I always scrub both the memory and disk caches of my browser
immediately after leaving the secure area.

>Date: 14 Sep 2001 05:03:10 -0000
>From: Brad Will <>
>Subject: Bank of America Online Banking Security
>TOPIC: Bank Of America Online Banking Website
>Vulnerable to Reauthentication of Logged Out
>DATE: 9-13-2001
>FOUND BY: Brad Will
>STATUS: Bank of America's Customer Service and
>Technical Support were notified in 8/1/2001. Both
>replied with canned "this will be forwarded to the
>appropriate parties" responses.
>DESCRIPTION: Users of the Bank of America Online
>Banking website are vulnerable to a basic web
>security hole. After logging the current session out, a
>user can back up to a cached page
>bin/sso.login.controller) in their browser's history.
>(This is most easily reproduced in Netscape. In
>MSIE, the user will more than likely be automatically
>redirected to another page.)
>Once on this page, the user can press the "refresh"
>button in their browser. This will repost the login
>credentials from the previous login, creating a new
>session, and logging the user in to the site.

Eric N. Valor
Lutris Technologies

- This Space Intentionally Left Blank -