Charter One Bank privacy/security hole

From: Dustin Miller (dustinat_private)
Date: Tue Nov 13 2001 - 17:17:22 PST

Next message: Andreas Sandblad: "Re: Several javascript vulnerabilities in Opera"

Previous message: Dan Stromberg: "Re: Digital Unix CDE dtaction vulnerability concept of proof code"
Next in thread: Dustin Miller: "RE: Charter One Bank privacy/security hole"
Reply: Dustin Miller: "RE: Charter One Bank privacy/security hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I recently e-mailed Charter One to notify them of this security
loophole.  Their response was just plain ignorant, telling me there is
no security problem when there is clearly a gaping one.

This affects ALL Charter One online banking customers who sign up for
additional deposit/savings accounts from the Charter One online banking
site.

When logged in to the Charter One online banking site, one of the menu
options (New Accounts) allows you to apply online for Deposit Accounts
or Consumer Loans.  Selecting either of those options brings up a page
prompting you to "click the 'Submit' button below".  Clicking that
button submits a form with hidden form fields containing the customer's
name, address, phone number, zip code, and social security number.
That, in and of itself, is a bit unusual.  The bad part is this: It
submits it to an insecure form, allowing anyone sniffing that connection
access to all the information they need to steal the customer's
identity.

Here's a snippet of the offending code (identifying info ***'d out)

<form  name="confirmGo" method="post"
action="http://www.charterone.com/pf/brokat_deposit.asp" />
<input type="hidden" name="URLRETURN"
value="https://www.totallyfreebanking.com/deposit_accounts.jsp" />
<input type="hidden" name="SOURCEURL"
value="https://www.totallyfreebanking.com/deposit_accounts.jsp" />
<input value="*********"      name="TAXID"      type="hidden">
<input value="DUSTIN"       name="NAME"       type="hidden">
<input value="MILLER"      name="NAME_2"     type="hidden">
<input value="**********************"    name="ADDRESS"
type="hidden">
<input value=""   name="ADDRESS_2"  type="hidden">
<input value="*************"       name="CITY"       type="hidden">
<input value="**"      name="STATE"      type="hidden">
<input value="*****-****"        name="ZIP"        type="hidden">
<input value="**********"  name="HOME_PHONE" type="hidden">
<input value="dustinat_private"      name="EMAIL"      type="hidden">
 
-----
Dustin Miller, President
FuseWerx LTD
Purveyors of Technological Magic
http://www.fusewerx.com

Next message: Andreas Sandblad: "Re: Several javascript vulnerabilities in Opera"
Previous message: Dan Stromberg: "Re: Digital Unix CDE dtaction vulnerability concept of proof code"
Next in thread: Dustin Miller: "RE: Charter One Bank privacy/security hole"
Reply: Dustin Miller: "RE: Charter One Bank privacy/security hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 15 2001 - 18:17:13 PST