Cross Site Scripting Holes / Insecure Logins / Banking Security

[ Back to Introduction ]

Last update: 10/30/2006 (Over 4 years after this site was created, and still so many problems) These sample links will alert you with your cookie information from the site. If the site fixes the problem, there will be no alert for Cross Site Scripting problems. For insecure logins, the site should redirect you to https or not show the login form. To best see what information is vulnerable, First, go to the site and login, then come back and see what info is alerted. As you can see, these are some of the top sites on the internet. We have not tested every site on the internet. Test the sites you use, if you find a hole, let us know. If your site is on here, fix the hole, then let us know.
In the news: Bank Sites Still Driven by Marketers

Company	Domain	Exploit Link
US HSBC Personal Banking	us.hsbc.com	(I'm Withholding Details ) Resent message to bank 9/13/2006
Chase/Bank One	chase.com	Insecure Login Form
Bank of America	bankofamerica.com	Insecure Login Form (only part of full login)
US Bank	usbank.com	Insecure Login Form
wachovia	wachovia.com	Insecure Login Form
Franklin Templeton Investments	Franklin-templeton.com	Insecure Login Form
Smith Barney / Citigroup	sbil.co.uk	Insecure Login Form
TD Waterhouse	tdwaterhouse.com	Insecure Login Form

What can you do?
1. Always login to your financial accounts on a secure (https) page
2. File a complaint with the government agency appropriate for the bank.
3. If you are a reporter or other person in with a blog, MAKE SOME NOISE! This needs attention to get fixed!

1. If the bank has the word National or the letters N.A. in its title, the complaint should be sent to Comptroller of the Currency, Customer Assistance Group, 1301 McKinney Street, Suite 3710, Houston TX 77010, 1 (800) 613-6743.

2. A complaint about a state-chartered bank that is a member of the Federal Reserve System should be sent to the Board of Governors of the Federal Reserve System, Director, Division of Consumer and Community Affairs, Washington, D.C. 20551, (202) 452-3693. http://www.federalreserve.gov/feedback.cfm

3. Complaints regarding state-chartered, federally insured banks that are not members of the Federal Reserve System should be sent to the Office of Bank Customer Affairs, Federal Deposit Insurance Corporation, Washington, D.C. 20429, 1 (800) 934-3342.

4. Complaints about federal-chartered savings banks should be sent to the Office of Thrift Supervision, Division of Consumer Affairs, Washington, DC 20552, 1 (800) 842-6929.

NOTE: The banks listed because of insecure login place login data on an insecured, non https page. They often make it worse by placing a lock icon next to the login form. Do not trust lock icons on webpages! Always check your browser's lock icon, or select page info to see if the page is truely secure. Never type in your login information on an insecure webpage (even if it's submitting to a secure page see my example of a hacked action field). This type of login can easily be hijacked, proxied, or otherwise intercepted. More on Spoofing

Banks should also list any contact information or other sensitive information where financial data is exchanged on secure sites. Users should not trust any content on any page that is not https.

Please report any other banks or websites with insecured (http) login forms using my email ( david at this domain ) .

Just a quick sponsor message

Buddy Icons

Buddy Icons for aim! Get them while their are hot!