Results 1 to 5 of 5

Thread: Citibank Canada

  1. January 2nd, 2003, 05:54 PM #1
    sweet_angel
    sweet_angel is offline
    Senior Member
    Join Date
    Aug 2002
    Posts
    508

    Citibank Canada

    To: BugTraq
    Subject: Re: CITIBANK [CANADA]: INTERNET EXPLORER BROWSERS
    Date: Dec 30 2002 9:47PM
    Author: Ben Laurie <ben@algroup.co.uk>
    Message-ID: <3E10BF01.8070002@algroup.co.uk>
    In-Reply-To: <200212292137.gBTLbpE07368@web173.megawebservers.com>


    http-equiv@excite.com wrote:
    > Sunday, December 29, 2002
    >
    > There is a small silly hitch with CITIBANK CANADA's secured sign in
    > to online banking:
    >
    > https://citibankcanada.ebilling.com/index.jhtml
    >
    > Specifically AUTOCOMPLETE="off" in the forms. It is not set.
    >
    > While much explanation is made about SSL connections and fancy
    > digital certificates, the simplest of web programming errors
    > Thwarte ! all that:
    >
    > CITIBANK CANADA's login allows for the Microsoft Internet Explorer
    > autocomplete feature to function. What that does is remember your
    > name and password. So on a public or even private machine, all one
    > needs to do is, double click the "name" form and the password will
    > automicrosoftly autocomplete [fill in].

    This is, of course, a fault in IE, not Citibank.

    Cheers,

    Ben.


    I just read this bugtraq...and my question is ...is this one of vulnerability...of IE?..if so... that could be dangerous..I suppose.
    I can't go the link..today..but two days ago still on
    Not an image or image does not exist!
    Not an image or image does not exist!
    Reply With Quote Reply With Quote
  2. January 2nd, 2003, 06:54 PM #2
    CXGJarrod
    CXGJarrod is offline
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Its a IE Issue. Its only a problem if you use a public computer with the Autocomplete feature turned on. They could of done better coding and included that autocomplete=off in the forms.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
    Reply With Quote Reply With Quote
  3. January 2nd, 2003, 07:12 PM #3
    phishphreek
    phishphreek is offline
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    To disable autocomplete... follow the instructions here.

    I think this is also profile based, so you'd have to do that for every user account that has it turned on.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
    Reply With Quote Reply With Quote
  4. January 2nd, 2003, 07:41 PM #4
    Tedob1
    Tedob1 is offline
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    its amazing that a program written for an online banking program wouldn't include that...someone no doubt lost their job!
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
    Reply With Quote Reply With Quote
  5. January 2nd, 2003, 08:27 PM #5
    Vorlin
    Vorlin is offline
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    The problem is, the page with the forms won't have anything preventing auto-complete to not work unless it might be an ASP page (I don't know if they do any kind of circumvention for things like this, like password fields are filled with *'s automatically). IE's to blame here for allowing ANY field to be filled in, no matter what the content, cookie timeout length, secure pages, etc etc.

    I'd simply make it (if I were doing anything with IE) so that any page that's "secure" to not cache anything previously put in said fields.

    EDIT: of course, that would require IE to UPDATE their browser and we know that hasn't happend in quite some time. <shameless plug> Opera 7 now has the 2nd beta out! </shameless plug>
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules