Re: CITIBANK [CANADA]: INTERNET EXPLORER BROWSERS

From: Ben Laurie (ben@algroup.co.uk)
Date: 12/30/02

Next message: Frog Man: "PEEL (PHP)"

Previous message: Martin Schulze: "[SECURITY] [DSA 219-1] New dhcpcd packages fix remote command execution vulnerability"
In reply to: http-equiv@excite.com: "CITIBANK [CANADA]: INTERNET EXPLORER BROWSERS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 30 Dec 2002 21:47:45 +0000
From: Ben Laurie <ben@algroup.co.uk>
To: http-equiv@malware.com

http-equiv@excite.com wrote:
> Sunday, December 29, 2002
>
> There is a small silly hitch with CITIBANK CANADA's secured sign in
> to online banking:
>
> https://citibankcanada.ebilling.com/index.jhtml
>
> Specifically AUTOCOMPLETE="off" in the forms. It is not set.
>
> While much explanation is made about SSL connections and fancy
> digital certificates, the simplest of web programming errors
> Thwarte ! all that:
>
> CITIBANK CANADA's login allows for the Microsoft Internet Explorer
> autocomplete feature to function. What that does is remember your
> name and password. So on a public or even private machine, all one
> needs to do is, double click the "name" form and the password will
> automicrosoftly autocomplete [fill in].

This is, of course, a fault in IE, not Citibank.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Next message: Frog Man: "PEEL (PHP)"
Previous message: Martin Schulze: "[SECURITY] [DSA 219-1] New dhcpcd packages fix remote command execution vulnerability"
In reply to: http-equiv@excite.com: "CITIBANK [CANADA]: INTERNET EXPLORER BROWSERS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]