http://www.techworld.com/security/news/index.cfm?newsID=101560 By Matthew Broersma Techworld 21 May 2008 The Royal Bank of Scotland (RBS) has fixed a cross-site scripting flaw in its Worldpay Internet payments service that could have allowed attackers to steal users' credit card details, according to a report. Adam Grit discovered the cross-site scripting (XSS) flaw in a secure payment page of the Worldpay site, RBS' Internet payments service, according to a report from IT industry journal The Register. The flaw allowed third parties to inject content into the page, as Grit demonstrated with a pop-up window reading "Is it safe?" An attacker could have taken advantage of the flaw to inject a false login box and steal user credentials, Grit said. "I have tested this and confirm that unfortunately it does work on the live Worldpay website," Grit wrote in a 29 April email to RBS, quoted in the report. "Potentially, a fraudulent website could send the user to the Worldpay website in order to pay for their purchase, with all of the credit card details being then sent back to the hacker's server." The flaw reportedly remained in place until Monday, a delay of three weeks, but has now been patched. The page affected was protected by an SSL certificate, which industry bodies have said can instill a false sense of security. In newer browsers, SSL-protected sites are downplayed in favour of those using Extended Validation SSL, which requires more thorough validation of the body requesting the certificate. _______________________________________________ Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Thu May 22 2008 - 01:49:16 PDT