http://www.theregister.co.uk/2009/08/20/ameriprise_website_vulnerabilities/ By Dan Goodin in San Francisco The Register 20th August 2009 For the past five months, a website for investment services giant Ameriprise Financial contained bugs that allowed even low-level criminals to inject malicious content into official company webpages and steal user's cookies, according to a web security expert. The XSS, or cross-site scripting, flaws made it possible for phishers to send Ameriprise customers bona fide links to the Ameriprise website that opened pages that intermingled counterfeit content with legitimate text and graphics. The holes could also allow criminals to steal browser cookies used to authenticate online accounts. In the five months since Russ McRee of HolisticInfoSec.org first identified the bugs, Ameriprise offered customers statements like this one, which assures visitors that "no one without the proper web browser configuration can view or modify information contained on our systems." And yet, not one of the half-dozen warnings McRee sent was answered. "The reality is that not enough of these companies at that level, particularly in the financial sector, properly do intake for vulnerabilities," said McRee. "There should be something on their site that says 'If you see a security issue on our site, please report it.'" [...] ________________________________________ Subscribe to InfoSec News http://www.infosecnews.orgReceived on Fri Aug 21 2009 - 02:32:06 PDT
This archive was generated by hypermail 2.2.0 : Fri Aug 21 2009 - 02:42:24 PDT