http://securityratty.com/tag/flaws Thu, 30 Oct 2008 01:35:17 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/5978268eaad37c626521f5473142a03e http://securityratty.com/article/5978268eaad37c626521f5473142a03e TIAA-CREF security flaw, allow me to clarify my "terms of engagement".
Prior to offering analysis of any security flaws in online financial services, be assured I have engaged the service provider and offered what I believe to a reasonable amount of time to remedy this issue. Specifically, a minimum of two weeks and three unique contact attempts are made. Should the vendor offer a timeline in which the issue will be resolved, so long as it is not months or years, I will wait until they are ready to deploy the fix, then discuss the vulnerability. If I am not in receipt of a reply other than generic customer service replies, I will follow the two week standard, then discuss the issue.

TIAA-CREF, or the Teachers Insurance and Annuity Association - College Retirement Equities Fund, is a respected, widely utilized provider of numerous financial products and services. The TIAA-CREF site is ranked 26,148 on Alexa.com at the time of this writing.

I'll first direct you to the TIAA-CREF Security page, where they discuss the expected elements like identity theft, spoofing, tips, and my favorite, phishing.
Here's where the trouble begins. Obviously, most phishing occurs when some miscreant creates a fake page and attempts to lure victims via email.
The severity of phishing risks are greatly increased by the introduction of a cross-site scripting (XSS) vulnerability in a site that is of high value to phishing attackers.
With such a vulnerability available, the prospect of success for a phisher are much higher given that the malicious URL they would craft could include the actual target domain, rather than a faked misrepresentation. A simple script insertion at the vulnerable variable would then allow the attacker to redirect victims to a maliciously crafted logon page in the context of the vulnerable site.
Sad side note: when you search security at the TIAA-CREF site, the above mentioned Security page is not returned in the results as I write this.
However, the resulting search URL serves as the starting point for our discussion of the flaw:
http://www.tiaa-cref.org/explore/portlets/search.jsp?query=security&strtfrm=1&totpresults=75&srchtype=4&sc=1&frmsite=0
The vast majority of non-search input variables on the TIAA-CREF site offer reasonable XSS protections, likely a blacklist method that redirects you to the following language when common XSS strings are noted, particularly where it counts at logon pages.
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
Unfortunately, this methodology was not deployed globally, and thus the following online finance flaw.
All input variables used in TIAA-CREF's search.jsp script are vulnerable to XSS.
Utilized by an attacker, this could have a much more significant impact on TIAA-CREF customers who fall victim to a now more convincing social engineering effort.
Here's the site before script insertion:



Here's the site after script insertion:



Further, certain parts of the site, including the Trust Company logon page, show potential signs of cross-site request forgery (CSRF) in that they accept updates via GET or allow submittal with the referrer stripped.

Lessons learned:
1) Don't assume all is well even though a site may offer examples of how attentive they are to security.
2) Never log on to an online financial service offering (or anything else for that matter) via a link sent to you in an email. Period.
3) Take all steps at your disposal to ensure you are logging in to and transacting with the actual site you intended to utilize. Don't depend on security badges and SSL certificates as your sole means of confirmation.
4) If you note something of concern at a site you utilize, advise them immediately and demand repair or clarification until you're satisfied.

Please feel free to send feedback to TIAA-CREF as I have per my "terms of engagement" above. Hopefully they'll resolve this issue soon, on behalf of customers in their care.

Up next in our series, two of the top five banks mentioned in Javelin Strategy & Research's Banking Identity Safety Scorecard are vulnerable to similar issues.

del.icio.us | digg | Submit to Slashdot]]> Wed, 03 Dec 2008 06:42:00 +0000 tiaa-cref site cross-site tiaa-cref site tiaa-cref security flaw flaw tiaa-cref security page security page cross site Online Finance Flaw: TIAA-CREF XSS & Potential CSRF http://securityratty.com/article/1aabc5edbe215010d8c71b5aa4aa7551 http://securityratty.com/article/1aabc5edbe215010d8c71b5aa4aa7551 Often this sense of security is coupled with a typical "security badge" provider, helping drive conversions rather than security, as we will also legitimize how often the badge providers miss the mark on their promises.
Accountability in loan making decisions and practices might have prevented the sub-prime market collapse and the subsequent credit crunch that has hogtied our economy.
Accountability with regard to web application security while providing online financial services is now all the more important as cybercrime will continue to increase at a pace proportionate to economic woes.
Each post relevant to this campaign will include Online Finance Flaw in its title for tracking purposes.
Look forward to surprising flaws in financial services brands you'll recognize.
Perhaps, the more attention we draw to services that should place security above all else, the more likely it is they'll commit to improving their security posture.
Feel free to comment or contribute; we'll begin in a day or two.]]> Sat, 29 Nov 2008 19:08:00 +0000 security web application security financial services brands security badge services security posture online financial services economy economy struggles profoundly Online Finance Flaws: An Awareness Campaign http://securityratty.com/article/dffc7515c546b02b5835629983298e8c http://securityratty.com/article/dffc7515c546b02b5835629983298e8c
]]> Mon, 17 Nov 2008 02:00:00 +0000 claim success microsoft software predictions flaws company exploitable Microsoft: First exploit ratings show success http://securityratty.com/article/949c25cc922a5535dd873e46a0e7d378 http://securityratty.com/article/949c25cc922a5535dd873e46a0e7d378
]]> Fri, 14 Nov 2008 02:00:00 +0000 safari web browser apple major browser security flaws protection sites blocks receive feature Apple plays catch-up, ads anti-fraud safeguard to Safari http://securityratty.com/article/a18a8c554ba3730c699f5a2b2577779a http://securityratty.com/article/a18a8c554ba3730c699f5a2b2577779a
]]> Thu, 13 Nov 2008 02:00:00 +0000 firefox compromise computers mozilla vulnerabilities information bugs Mozilla fixes 11 new flaws in Firefox, six critical http://securityratty.com/article/2252473c0d17cce48f2fb9276bfd9515 http://securityratty.com/article/2252473c0d17cce48f2fb9276bfd9515 Wed, 12 Nov 2008 21:00:00 +0000 firefox compromise computers mozilla vulnerabilities wednesday information bugs Mozilla fixes 11 new flaws in Firefox, six critical http://securityratty.com/article/32a9820a8a9fd3ab36d6dcb672eb9b52 http://securityratty.com/article/32a9820a8a9fd3ab36d6dcb672eb9b52 Mon, 10 Nov 2008 21:00:00 +0000 install malicious software microsoft system tuesday security patch flaws attackers windows computer victim Microsoft fixes critical Web bugs with security updates http://securityratty.com/article/8e338676db24d29aac50f06e673b2772 http://securityratty.com/article/8e338676db24d29aac50f06e673b2772
]]> Thu, 06 Nov 2008 02:00:00 +0000 fix multiple vulnerabilities flash player adobe systems most-popular programs time security days Adobe fixes 6 flaws in Flash http://securityratty.com/article/95ab05eafbfa35d55bdaf6015fcff266 http://securityratty.com/article/95ab05eafbfa35d55bdaf6015fcff266 Sun, 02 Nov 2008 21:00:00 +0000 remarkably similar flaws security issues nightmare scenario presidential election machines tallies flip dre deployments Ed Felten on e-voting: What can go wrong http://securityratty.com/article/4b05c997f625f4489628e471be845ab9 http://securityratty.com/article/4b05c997f625f4489628e471be845ab9 Thu, 30 Oct 2008 01:35:17 +0000 openoffice patch highly-critical vulnerabilities expose users security vulnerability starsuite documents org emf files versions prior cve-2008-2237 Highly-critical Vulnerabilities Patched In OpenOffice Suite 2.4.2