[SecurityRatty] tag: flaw

Online Finance Flaw: TIAA-CREF XSS & Potential CSRF

Wed, 03 Dec 2008 06:42:00 +0000

Before discussing a TIAA-CREF security flaw, allow me to clarify my "terms of engagement".
Prior to offering analysis of any security flaws in online financial services, be assured I have engaged the service provider and offered what I believe to a reasonable amount of time to remedy this issue. Specifically, a minimum of two weeks and three unique contact attempts are made. Should the vendor offer a timeline in which the issue will be resolved, so long as it is not months or years, I will wait until they are ready to deploy the fix, then discuss the vulnerability. If I am not in receipt of a reply other than generic customer service replies, I will follow the two week standard, then discuss the issue.

TIAA-CREF, or the Teachers Insurance and Annuity Association - College Retirement Equities Fund, is a respected, widely utilized provider of numerous financial products and services. The TIAA-CREF site is ranked 26,148 on Alexa.com at the time of this writing.

I'll first direct you to the TIAA-CREF Security page, where they discuss the expected elements like identity theft, spoofing, tips, and my favorite, phishing.
Here's where the trouble begins. Obviously, most phishing occurs when some miscreant creates a fake page and attempts to lure victims via email.
The severity of phishing risks are greatly increased by the introduction of a cross-site scripting (XSS) vulnerability in a site that is of high value to phishing attackers.
With such a vulnerability available, the prospect of success for a phisher are much higher given that the malicious URL they would craft could include the actual target domain, rather than a faked misrepresentation. A simple script insertion at the vulnerable variable would then allow the attacker to redirect victims to a maliciously crafted logon page in the context of the vulnerable site.
Sad side note: when you search security at the TIAA-CREF site, the above mentioned Security page is not returned in the results as I write this.
However, the resulting search URL serves as the starting point for our discussion of the flaw:
http://www.tiaa-cref.org/explore/portlets/search.jsp?query=security&strtfrm=1&totpresults=75&srchtype=4&sc=1&frmsite=0
The vast majority of non-search input variables on the TIAA-CREF site offer reasonable XSS protections, likely a blacklist method that redirects you to the following language when common XSS strings are noted, particularly where it counts at logon pages.
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
Unfortunately, this methodology was not deployed globally, and thus the following online finance flaw.
All input variables used in TIAA-CREF's search.jsp script are vulnerable to XSS.
Utilized by an attacker, this could have a much more significant impact on TIAA-CREF customers who fall victim to a now more convincing social engineering effort.
Here's the site before script insertion:

Here's the site after script insertion:

Further, certain parts of the site, including the Trust Company logon page, show potential signs of cross-site request forgery (CSRF) in that they accept updates via GET or allow submittal with the referrer stripped.

Lessons learned:
1) Don't assume all is well even though a site may offer examples of how attentive they are to security.
2) Never log on to an online financial service offering (or anything else for that matter) via a link sent to you in an email. Period.
3) Take all steps at your disposal to ensure you are logging in to and transacting with the actual site you intended to utilize. Don't depend on security badges and SSL certificates as your sole means of confirmation.
4) If you note something of concern at a site you utilize, advise them immediately and demand repair or clarification until you're satisfied.

Please feel free to send feedback to TIAA-CREF as I have per my "terms of engagement" above. Hopefully they'll resolve this issue soon, on behalf of customers in their care.

Up next in our series, two of the top five banks mentioned in Javelin Strategy & Research's Banking Identity Safety Scorecard are vulnerable to similar issues.

del.icio.us | digg | Submit to Slashdot

Vulnerabilities and Office Versions

Mon, 01 Dec 2008 04:19:33 +0000

Most of the ink on Microsoft vulnerability coverage goes to browsers and operating systems, but in a way the best progress vulnerabilities have made has been in Microsoft Office. Some of the great attacks of all time (remember LoveLetter?) have been through Office bugs, and I believe most targeted attacks over the last few years have utilized vulnerabilities in Office document parsers. That's why it's encouraging that Microsoft has done a much better job in making current versions of Office secure, as David LeBlanc's recent blog shows. He claims that the company has really stepped up the security testing for Office 2003 SP3 and Office 2007, and that it shows up in the number of reported vulnerabilities. The trend is clear: There are about half as many vulnerabilities as for earlier versions. There may be a little flaw in the analysis in that LeBlanc studied reports during the period from 9/18/2007 to 11/17/2008. By that time earlier Office versions had been around for a long time and many vulnerabilities had already been reported on them. But even so, it makes the numbers all the more impressive for the new versions; the older ones had already had the low-hanging fruit picked clean and yet they still had CVE numbers in excess of the new ones. It seems there is no low-hanging vulnerability fruit in new versions of Office. Are you running an old version of Office? Are you running Office 2003 SP2, which reached the end of support life in October? If so, you are exposing yourself to more known threats than you may think. Office versions are not plug-and-play interchangeable. It's unfortunate that Microsoft saw fit to accompany Office 2007's security enhancements with a radical user interface change. I personally have gotten used to it, but I can see an enterprise being intimidated by the training it would necessitate. If you feel you're stuck in Office 2003, at the very least it's irresponsible to linger on in an old service pack. Do what you can to move on to SP3.

Online Finance Flaws: An Awareness Campaign

Sat, 29 Nov 2008 19:08:00 +0000

Here begins a series regarding web application security inadequacies in online financial service offerings. The services to be discussed will include banks, credit unions, credit card companies, and others. As the economy struggles profoundly, and much of the blame points at the financial sector, I believe it important to point out the false sense of security so many brand-name financial services wrongly instill in their customers.
Often this sense of security is coupled with a typical "security badge" provider, helping drive conversions rather than security, as we will also legitimize how often the badge providers miss the mark on their promises.
Accountability in loan making decisions and practices might have prevented the sub-prime market collapse and the subsequent credit crunch that has hogtied our economy.
Accountability with regard to web application security while providing online financial services is now all the more important as cybercrime will continue to increase at a pace proportionate to economic woes.
Each post relevant to this campaign will include Online Finance Flaw in its title for tracking purposes.
Look forward to surprising flaws in financial services brands you'll recognize.
Perhaps, the more attention we draw to services that should place security above all else, the more likely it is they'll commit to improving their security posture.
Feel free to comment or contribute; we'll begin in a day or two.

Bug allowed free access to Sirius radio service

Mon, 24 Nov 2008 02:00:00 +0000

TippingPoint says it has found a flaw in Sirius satellite radio that could be used to get free service.

BREAKING: New Gmail Security Flaw. More Domains Get Stolen!

Sat, 22 Nov 2008 06:30:02 +0000

Several things have happened in the last two days that have made me believe that Gmail has a serious security flaw and everyone should be aware about it.

IETF: Should we ignore the Kaminsky bug?

Thu, 20 Nov 2008 02:00:00 +0000

The ongoing debate about a serious flaw in the DNS discovered this summer brings to mind a famous quotation from Voltaire: "The perfect is the enemy of the good."

Presented By:

Expedition Week Continues Tonight

Seven nights of one great discovery after another continues tonight at 9P e/p only on National Geographic Channel. From the ancient pyramids to the ocean depths, from lost cities to outer space, travel with the latest generation of intrepid explorers as they make one great discovery after another. Expedition Week, only on National Geographic Channel.
www.natgeotv.com/expedition

Ads by Pheedo

IETF: Should we ignore the Kaminsky bug?

Wed, 19 Nov 2008 21:00:00 +0000

The Internet engineering community is grappling with what to do about a serious flaw in the DNS discovered this summer, and the ongoing debate brings to mind a famous quotation from Voltaire: "The perfect is the enemy of the good."

How does Microsoft explain seven-year patch delay?

Fri, 14 Nov 2008 22:50:01 +0000

The software giant says that fixing the flaw earlier would have broken customer network applications.

Worm Risk Spurs Critical Microsoft Patch

Wed, 12 Nov 2008 21:00:00 +0000

A scary security flaw that would allow malicious worms to infect one PC and then automatically jump to others prompted Microsoft to release a rare out-of-cycle patch in October. The glitch is critical for both 32-bit and 64-bit versions of Windows XP and Windows Server 2003, and for Windows Server 2000. Microsoft says that targeted attacks exploited the hole prior to the patch's release, and that "detailed exploit code" is currently available online.

Microsoft Fixes 8-year Old Design Flaw in SMB

Wed, 12 Nov 2008 18:11:12 +0000

With regard to the recent Patch Tuesday fix, there has been an issue fixed regarding NTLM Relaying, that has been around for more than eight years.

In 2000, I wrote an advisory about NTLM relaying (CVE-2000-0834). The problem turned out to be significantly larger than I originally suggested in the advisory. The attack extended to other NTLM-based authentications on other protocols and allowed general-purpose credential theft via a man-in-the-middle attack.

The SMBRelay tool was published in 2001 by Sir Dystic of Cult Of The Dead Cow, and that really took it to the next level. The protocol completely fell apart. It kicked off a number of other analyses of the NTLM protocol that finally resulted in this patch. Eight years after it’s discovery.

At least they got around to it. Thanks!