Cross-site scripting flaw on Winbank's easypay.gr SSL site

Tuesday, 12 May 2009

Hexspirit has reported another critical XSS vulnerability on easypay.gr, owned by Pireaus Bank / Winbank.

Quoting from https://www.easypay.gr/awardeasypay2005EN.pdf :

"Winbank easypay service is available through the internet at the address www.easypay.gr, and also as a phone service by calling 801-802-803-804. This revolutionary service is the result of the great experience winbank has gained in the electronic payments sector, through winbank internet (payments by debiting bank accounts) and winbank paycenter (payments by charging Visa and MasterCard credit cards and Visa Electron Debit cards).

Easypay accommodates all the e-payments needs of companies and organizations that do not have their own Points of Sale, or they want to increase their available electronic payment channels (e.g web, phone, fax). It is the only payments service in the Greek market that combines payments through the internet and phone, with Bank Account debit or Visa and MasterCard charge."

easypay.gr XSS Mirror (SSL)

Screenshots:

Fraudster's can inject this form with an Iframe and phish valid Piraeus Bank credit cards from unsuspecting easypay.gr users:

It is possible to inject other malicious scripts and infect users with crimeware.

We hope that their security staff will look into this issue and fix it as soon as possible.