Internet Bank Vulnerable!

From: Kelvin (kelvinat_private)
Date: Sat Jun 23 2001 - 18:25:56 PDT

  • Next message: Damieon Stark: "Re: An Amateur Pen-Test"

    This is highly interesting.
    
    I have discovered several Internet Banks that are vulnerable to many
    standard IIS vulnerabilities. Many of the exploits are quite old. Well for
    obvious reasons I notified the Bank and the vendor of the Internet Banking
    solution. I waited until today, which is 48 hours since the email and
    telephone notification and the Bank is still vulnerable. It amazes me every
    time something like this happens, it might not be so bad if it were cookies
    on a cooking website but it really is financial information on the website
    of a respected bank, it freaks me out even more.
    
    As a test, I ran a search string on the file system looking for various
    combinations such as: "$1,1", "0.12", "1,1"
    
    Amazingly enough I came up with entire listings of transactions and account
    data. The records included names, phone, numbers, credit cards, and the
    like. No socials.. That I felt good about.
    
    Has anyone else had a scenario as serious as this? I am wondering if there
    is a lesson someone here needs to learn! - Like maybe an associated press
    lesson. If the newspaper were to find out that a bank was vulnerable - Wow,
    they would eat that up, besides the problem I am sure would get fixed.
    
    Any thoughts?
    
    You can see the findings and the article at:
    http://www.sec33.com/archives/2001/internet_baking/banking_does_it_belong_on
    line.html
    
    Kelvin.
    



    This archive was generated by hypermail 2b30 : Sun Jun 24 2001 - 19:34:33 PDT