[ISN] Royal Bank of Scotland fixes data-stealing flaw

From: InfoSec News (alerts@private)
Date: Thu May 22 2008 - 01:42:42 PDT


By Matthew Broersma
21 May 2008

The Royal Bank of Scotland (RBS) has fixed a cross-site scripting flaw 
in its Worldpay Internet payments service that could have allowed 
attackers to steal users' credit card details, according to a report.

Adam Grit discovered the cross-site scripting (XSS) flaw in a secure 
payment page of the Worldpay site, RBS' Internet payments service, 
according to a report from IT industry journal The Register.

The flaw allowed third parties to inject content into the page, as Grit 
demonstrated with a pop-up window reading "Is it safe?"

An attacker could have taken advantage of the flaw to inject a false 
login box and steal user credentials, Grit said.

"I have tested this and confirm that unfortunately it does work on the 
live Worldpay website," Grit wrote in a 29 April email to RBS, quoted in 
the report. "Potentially, a fraudulent website could send the user to 
the Worldpay website in order to pay for their purchase, with all of the 
credit card details being then sent back to the hacker's server."

The flaw reportedly remained in place until Monday, a delay of three 
weeks, but has now been patched.

The page affected was protected by an SSL certificate, which industry 
bodies have said can instill a false sense of security.

In newer browsers, SSL-protected sites are downplayed in favour of those 
using Extended Validation SSL, which requires more thorough validation 
of the body requesting the certificate.

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Thu May 22 2008 - 01:49:16 PDT