Watch your Wachovia Bank Account

mr members, posted full disclosure mailing list. i'd careful signing wachovia online banking portal. careful. btw mitm stands "man in middle"

quote

------------------------------

message: 8
date: tue, 10 jul 2007 20:20:14 -0400
from: bob toxen <bob@verysecurelinux.com>
subject: [full-disclosure] wachovia bank website sends confidential
information
to: full-disclosure@lists.grok.org.uk
message-id: <20070711002014.gq4885@verysecurelinux.com>
content-type: text/plain; charset=iso-8859-1

wachovia bank website sends confidential information
(social security numbers, phone number, address, etc.)
on internet without encryption.

horizon network security security advisory 07/10/2007
http://verysecurelinux.com/
jul 10, 2007

i. background

wachovia bank's official web site offers following url allow
customers change privacy preferences:

http://www.wachovia.com/privacy

wachovia notified customers u.s. mail can use that
same url besides.

url has link following change one's
preferences:

http://www.wachovia.com/personal/forms/privacy_optout

unfortunately, page appears ordinary html form whose
"filled out data" transmitted via "post" method http
(not https) url.

iii. analysis

inspected page's source via our opera browser. (we did not
sniff web traffic not absolutely sure there not
hidden encryption method, though there appears none.)

iv. detection

trivial inspect page source or sniff data to
demonstrate problem. problem has not been corrected.

v. workaround

use method other web site exercise one's preferences.

vi. vendor response

vendor (wachovia bank) notified via customer service
phone number on june 25. transferred "web support". the
person answering asked fax details , did so,
on june 25. explained reporting severe
security problem on web site.

stated that if did not hear them within 7 days and
problem not fixed post problem on the
full disclosure list, following accepted industry practice.

date have received no response , problem remains unfixed.

vii. cve information

there no cve number.

viii. disclosure timeline

06/25/2007 initial vendor notification
06/25/2007 vendor requested faxed details
06/25/2007 details faxed vendor

07/20/2007 no vendor response
07/20/2007 public disclosure on full disclosure list

ix. credit

problem discovered bob toxen, 1 of our engineers.

x. legal notices

copyright ? 2007 horizon network security. rights reserved.

permission granted redistribution of alert electronically.
may not edited without express written consent of horizon
network security. if wish reprint whole or part of this
alert in other medium other electronically, please e-mail
btoxen@verysecurelinux.com permission.

disclaimer: information in advisory believed accurate at
time of publishing, based on available information. use of
information constitutes acceptance use in condition and
waiving of right action against horizon network security or
employees or contractors.

there no warranties regard information. neither the
author nor publisher accepts liability direct, indirect,
or consequential loss or damage arising use of, or reliance on,
information.

believe wachovia bank obligated california's security breach
disclosure laws notify california customers may have used
form , state of california. other jurisdictions may
have notification requirements.

bob toxen,
horizon network security
http://www.verysecurelinux.com [network & linux/unix security consulting]
http://www.realworldlinuxsecurity.com [our 5* book: "real world linux security"]

click expand...

 

stuff gets posted full-disclosure time, , happens time. if read of replies far, there worse holes , other ways same info. sooo...

edit: wouldnt worry possibility of mitm attack not addressed wachovia as pebkac on user's end.

 

Forums Mac Community Community Discussion

• iPhone
• Mac OS & System Software
• iPad
• Apple Watch
• Notebooks
• iTunes
• Apple ID
• iCloud
• Desktop Computers
• Apple Music
• Professional Applications
• iPod
• iWork
• Apple TV
• iLife
• Wireless