The other solution to this problem is more of a social-engineering workaround. Whenever I use an online banking session, after logging out of the session I always scrub both the memory and disk caches of my browser immediately after leaving the secure area. >Date: 14 Sep 2001 05:03:10 -0000 >From: Brad Will <duke33at_private> >To: bugtraqat_private >Subject: Bank of America Online Banking Security > >TOPIC: Bank Of America Online Banking Website >Vulnerable to Reauthentication of Logged Out >Sessions > >DATE: 9-13-2001 >FOUND BY: Brad Will >STATUS: Bank of America's Customer Service and >Technical Support were notified in 8/1/2001. Both >replied with canned "this will be forwarded to the >appropriate parties" responses. > >DESCRIPTION: Users of the Bank of America Online >Banking website are vulnerable to a basic web >security hole. After logging the current session out, a >user can back up to a cached page >(https://onlineid.bankofamerica.com/cgi- >bin/sso.login.controller) in their browser's history. >(This is most easily reproduced in Netscape. In >MSIE, the user will more than likely be automatically >redirected to another page.) >Once on this page, the user can press the "refresh" >button in their browser. This will repost the login >credentials from the previous login, creating a new >session, and logging the user in to the site. -- Eric N. Valor ericvat_private Webmeister/Inetservices Lutris Technologies ericat_private - This Space Intentionally Left Blank -
This archive was generated by hypermail 2b30 : Fri Sep 14 2001 - 14:32:45 PDT