The trouble with web security or the most secure bank of America
Inspired by MrGrey ’s article about the reactions of Russian companies to bad news about security holes, he decided to add his 5 kopecks, talking about his experience of communicating with the American Bank, which he calls the most protected bank and is one of America’s largest banks - and in general, probably, of the world.
It all started with a congratulatory email about registering a credit card - the links did not work in it, just as a consequence of a slip (an extra space was set (% 20) after http: //). Unsuccessfully searching for email technical support on the site, I did not find anything better than to write in an online chat, where they certainly did not understand me.
Frustrated, well, and looking at the code, which is a jumble of inline css and js clouds, decided to try to ask Google about my new bank. Looking for something like site: bankname.com filetype: txt, I found ~ 20 pages on which the source backend code was opened. It looked as if you didn’t include ShortTags, that is, the structure of all directories and the way the code was written was immediately opened.
Google also showed a huge amount of traceback pages in this wonderful bank, traceback gave a great insight into which server uses the miracle bank, which services and libraries.
')
Having collected all this, I described all these problems with an indication of how I found them (link to Google) to all emails that were determined through whois for the domain name (it is simply impossible to find other emails). Of course, no response followed, the code was visible, traceback showed the structure. But this is my bank, on reflection, put it all together and wrote on the page of the miracle bank on Facebook and sent a couple of tweets. No answer.
Frustrated and angry, I found the wonder forum community, created a topic about errors, described everything ... There was no answer.
Sometimes when I go through a topic, I find that in the corner of the topic there is a funny counter that stupidly counts the number of page loads.
Without further thinking, I wrote a couple of lines of code that updated the page in the background, something like:
At 60,000 thousand “views,” two employees answered me at once that they would give everything, and they were ashamed that they did not answer.
Well, I'm glad ... But in the process of using their community forum, I discovered a few more small blots / wisps, which I wrote about.
Then I discovered that in general the insertion of pictures on this very forum is disabled somehow so wrong that it is not disabled. He demonstrated this to all the administrations, telling in passing how Opera allowed to execute js in pictures.
In addition to the execution of js, the picture was for some reason still linked / linked to the site from which it was added. And, of course, the transition to this site occurs without any warning (in my opinion, an excellent way to steal someone's data).
Another interesting idea of the forum - in an uncontrolled font size, which is somehow well, just ugly. Someone at this stage may seem to be picking on me, but gentlemen, this is a bank - a huge international bank (I personally think that they should be examples of everything, and not vice versa).
Answers to this, I again did not receive. Having decided to kill several birds with one stone (to find a job in a cool bank and tell technical guys from the bank about their troubles), I tried to apply for a resume for one of the vacancies published on the site. What do you think, of course, I did not succeed, the system required to fill in, the fields of which were not in the html form.
When I applied for a job, I, of course, searched, and found something more or less suitable for me - this is LAMP. What, judging by my observations, did not use the miracle bank (what was openly outward - everything looked like javoy). Thinking, I decided to ask Google where is PHP there. Google talked about Wordpress on one of the subdomains of the wonderbank. Going there, I discovered an open wp-admin (no protection from bruteforce) and an outdated Wordpress with world-famous xss, which I published again on the community forum of the miracle bank, along with another 5 pages on which the backend code was opened to the world.
During my interest in the helplessness of this bank, I wrote 13 posts and received 2 replies. The answers were only that the information will be transmitted. And judging by the fact that most of the problems have already been closed, the information was indeed transmitted, but no one told me anything.
So the problem with the attitude to security is global.
Community forum of the bank.
It all started with a congratulatory email about registering a credit card - the links did not work in it, just as a consequence of a slip (an extra space was set (% 20) after http: //). Unsuccessfully searching for email technical support on the site, I did not find anything better than to write in an online chat, where they certainly did not understand me.
Frustrated, well, and looking at the code, which is a jumble of inline css and js clouds, decided to try to ask Google about my new bank. Looking for something like site: bankname.com filetype: txt, I found ~ 20 pages on which the source backend code was opened. It looked as if you didn’t include ShortTags, that is, the structure of all directories and the way the code was written was immediately opened.
Google also showed a huge amount of traceback pages in this wonderful bank, traceback gave a great insight into which server uses the miracle bank, which services and libraries.
')
Having collected all this, I described all these problems with an indication of how I found them (link to Google) to all emails that were determined through whois for the domain name (it is simply impossible to find other emails). Of course, no response followed, the code was visible, traceback showed the structure. But this is my bank, on reflection, put it all together and wrote on the page of the miracle bank on Facebook and sent a couple of tweets. No answer.
Frustrated and angry, I found the wonder forum community, created a topic about errors, described everything ... There was no answer.
Sometimes when I go through a topic, I find that in the corner of the topic there is a funny counter that stupidly counts the number of page loads.
Without further thinking, I wrote a couple of lines of code that updated the page in the background, something like:
#!/bin/bash
for i in {1..99999999}
do
echo "done $i"
wget -qO- topicUrl &> /dev/null
done
At 60,000 thousand “views,” two employees answered me at once that they would give everything, and they were ashamed that they did not answer.
Well, I'm glad ... But in the process of using their community forum, I discovered a few more small blots / wisps, which I wrote about.
Then I discovered that in general the insertion of pictures on this very forum is disabled somehow so wrong that it is not disabled. He demonstrated this to all the administrations, telling in passing how Opera allowed to execute js in pictures.
In addition to the execution of js, the picture was for some reason still linked / linked to the site from which it was added. And, of course, the transition to this site occurs without any warning (in my opinion, an excellent way to steal someone's data).
Another interesting idea of the forum - in an uncontrolled font size, which is somehow well, just ugly. Someone at this stage may seem to be picking on me, but gentlemen, this is a bank - a huge international bank (I personally think that they should be examples of everything, and not vice versa).
Answers to this, I again did not receive. Having decided to kill several birds with one stone (to find a job in a cool bank and tell technical guys from the bank about their troubles), I tried to apply for a resume for one of the vacancies published on the site. What do you think, of course, I did not succeed, the system required to fill in, the fields of which were not in the html form.
When I applied for a job, I, of course, searched, and found something more or less suitable for me - this is LAMP. What, judging by my observations, did not use the miracle bank (what was openly outward - everything looked like javoy). Thinking, I decided to ask Google where is PHP there. Google talked about Wordpress on one of the subdomains of the wonderbank. Going there, I discovered an open wp-admin (no protection from bruteforce) and an outdated Wordpress with world-famous xss, which I published again on the community forum of the miracle bank, along with another 5 pages on which the backend code was opened to the world.
During my interest in the helplessness of this bank, I wrote 13 posts and received 2 replies. The answers were only that the information will be transmitted. And judging by the fact that most of the problems have already been closed, the information was indeed transmitted, but no one told me anything.
So the problem with the attitude to security is global.
Community forum of the bank.
Source: https://habr.com/ru/post/213413/
All Articles