[ISN] Security bugs crawl all over financial giant’s website

From: InfoSec News <alerts_at_private>
Date: Fri, 21 Aug 2009 04:32:06 -0500 (CDT)

By Dan Goodin in San Francisco
The Register
20th August 2009 

For the past five months, a website for investment services giant 
Ameriprise Financial contained bugs that allowed even low-level 
criminals to inject malicious content into official company webpages and 
steal user's cookies, according to a web security expert.

The XSS, or cross-site scripting, flaws made it possible for phishers to 
send Ameriprise customers bona fide links to the Ameriprise website that 
opened pages that intermingled counterfeit content with legitimate text 
and graphics. The holes could also allow criminals to steal browser 
cookies used to authenticate online accounts.

In the five months since Russ McRee of HolisticInfoSec.org first 
identified the bugs, Ameriprise offered customers statements like this 
one, which assures visitors that "no one without the proper web browser 
configuration can view or modify information contained on our systems." 
And yet, not one of the half-dozen warnings McRee sent was answered.

"The reality is that not enough of these companies at that level, 
particularly in the financial sector, properly do intake for 
vulnerabilities," said McRee. "There should be something on their site 
that says 'If you see a security issue on our site, please report it.'"


Subscribe to InfoSec News
Received on Fri Aug 21 2009 - 02:32:06 PDT

This archive was generated by hypermail 2.2.0 : Fri Aug 21 2009 - 02:42:24 PDT