CITIBANK [CANADA]: INTERNET EXPLORER BROWSERS

From: http-equiv@excite.com
Date: 12/29/02

  • Next message: Joel Maslak: "Visual SourceSafe - Preliminary Observations" 
    To: <bugtraq@securityfocus.com>
Date: Sun, 29 Dec 2002 21:37:50 -0000
From: "http-equiv@excite.com" <http-equiv@malware.com>

    Sunday, December 29, 2002

    There is a small silly hitch with CITIBANK CANADA's secured sign in
    to online banking:

    https://citibankcanada.ebilling.com/index.jhtml

    Specifically AUTOCOMPLETE="off" in the forms. It is not set.

    While much explanation is made about SSL connections and fancy
    digital certificates, the simplest of web programming errors
    Thwarte ! all that:

    CITIBANK CANADA's login allows for the Microsoft Internet Explorer
    autocomplete feature to function. What that does is remember your
    name and password. So on a public or even private machine, all one
    needs to do is, double click the "name" form and the password will
    automicrosoftly autocomplete [fill in].

    Cursory examination of the CITIBANK USA confirms that it is disabled:

    <form name=signon
        action='https://web.da-us.citibank.com/cgi-
    bin/citifi/scripts/login2/login.jsp'
        method='post' onsubmit='return onSubmit(signon);'
    AUTOCOMPLETE="off">
    <input type=hidden name="flow" value="login1">
    <input type=hidden name="remember" value="Y">
    <input type=hidden name="next_page" value="">

    There might be other CITIBANK sign in's though, including
    international branches.

    Notes: critical to ensure when travelling to clear all forms when
    using public machines [internet cafe, business center etc.]. That
    would be: TOOLS - INTERNET OPTIONS - CONTENT - AUTOCOMPLETE: "CLEAR
    FORMS" & "CLEAR PASSWORDS". Not to mention shared private machines.

    End Call 

    -- 
http://www.malware.com

    Relevant Pages