Re: Wachovia Bank website sends confidential information

[Bob Toxen <bob () verysecurelinux com>]

On Wed, Jul 11, 2007 at 12:38:54PM -0400, Steve Ragan wrote:
> The link now redirects to an HTTPS page
Thanks Steve.

This proves the value of Full Disclosure.

This seems to have changed within a few hours of my posting to Full
Disclosure rather than in the several weeks after I first alerted it.
Note that Wachovia still has not subsequently contacted me to thank me,
acknowledge my work, or to threaten me.

Yes, the page that consumers can get to by navigating Wachovia's web site
(or in response to the paper mail Wachovia sent out) now is the
following, which posts using https to provide strong encryption:

      https://www.wachovia.com/personal/forms/privacy_optout

It has comments with time-stamps of late yesterday, after I disclosed
on the list:

     <!-- Vignette V6 Tue Jul 10 19:28:33 2007 -->


I do note that the existing URL:

     http://www.wachovia.com/personal/forms/privacy_optout

still exists and is accessible.

That http page still appears to post the SSN, etc. unencrypted.
Clearly, someone needs to delete the old page or only allow it as https.
Of course, this is a very minor issue as there is no way for a consumer
"trip over" this page accidentally.

I wonder if Wachovia will follow the California state breach security
policy.


Bob


> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Bob Toxen
> Sent: Tuesday, July 10, 2007 8:20 PM
> To: full-disclosure () lists grok org uk
> Subject: [Full-disclosure] Wachovia Bank website sends confidential
> information
>
> Wachovia Bank website sends confidential information (social security
> numbers, phone number, address, etc.) over the Internet without encryption.
>
> Horizon Network Security Security Advisory 07/10/2007
> http://VerySecureLinux.com/ Jul 10, 2007
>
> I. BACKGROUND
>
> Wachovia Bank's official web site offers the following URL to allow its
> customers to change their privacy preferences:
>
>      http://www.wachovia.com/privacy
>
> Wachovia also notified its customers by U.S. Mail that they can use that
> same URL besides.
>
> That URL has a link to the following to actually change one's
> preferences:
>
>      http://www.wachovia.com/personal/forms/privacy_optout
>
> Unfortunately, that page appears to be an ordinary HTML form whose "filled
> out data" then is transmitted via the "post" method to an http (not https)
> URL.
>
> III. ANALYSIS
>
> We inspected the page's source via our Opera browser.  (We did not sniff the
> web traffic so we are not absolutely sure that there is not some hidden
> encryption method, though there appears to be none.)
>
> IV. DETECTION
>
> It is trivial to inspect the page source or sniff the data to demonstrate
> the problem.  The problem has not been corrected.
>
> V. WORKAROUND
>
> Use a method other than their web site to exercise one's preferences.
>
> VI. VENDOR RESPONSE
>
> The vendor (Wachovia Bank) was notified via their customer service phone
> number on June 25.  We were transferred to "web support".  The person
> answering asked us to FAX the details to her and we did so, also on June 25.
> We explained that we were reporting a severe security problem on their web
> site.
>
> We stated that that if we did not hear back from them within 7 days and the
> problem was not fixed by then that we would post the problem on the Full
> Disclosure list, following accepted industry practice.
>
> To date we have received no response and the problem remains unfixed.
>
> VII. CVE INFORMATION
>
> There is no CVE number.
>
> VIII. DISCLOSURE TIMELINE
>
> 06/25/2007  Initial vendor notification
> 06/25/2007  Vendor requested FAXed details
> 06/25/2007  Details FAXed to vendor
>
> 07/20/2007  No vendor response
> 07/20/2007  Public disclosure on this Full Disclosure list
>
> IX. CREDIT
>
> This problem was discovered by Bob Toxen, one of our engineers.
>
> X. LEGAL NOTICES
>
> Copyright C 2007 Horizon Network Security.  All rights reserved.
>
> Permission is granted for the redistribution of this alert electronically.
> It may not be edited without the express written consent of Horizon Network
> Security.  If you wish to reprint the whole or any part of this alert in any
> other medium other than electronically, please e-mail
> btoxen () VerySecureLinux com for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate at
> the time of publishing, based on currently available information.  Use of
> the information constitutes acceptance for use in an AS IS condition and
> waiving of the right to any action against Horizon Network Security or its
> employees or contractors.
>
> There are no warranties with regard to this information.  Neither the author
> nor the publisher accepts any liability for any direct, indirect, or
> consequential loss or damage arising from use of, or reliance on, this
> information.
>
> We believe Wachovia Bank is obligated by California's security breach
> disclosure laws to notify its California customers who may have used this
> form and the State of California.  Other jurisdictions also may have
> notification requirements.
>
> Bob Toxen,
> Horizon Network Security
> http://www.verysecurelinux.com       [Network & Linux/Unix Security
> Consulting]
> http://www.realworldlinuxsecurity.com [Our 5* book: "Real World Linux
> Security"]
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition. 
> Version: 7.5.476 / Virus Database: 269.10.2/893 - Release Date: 7/9/2007
> 5:22 PM

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/