RealTime IT News

MasterCard, Others Plug Script Injection Leak

Credit card giant MasterCard was among a slew of online financial institutions rushing to fix Web site design flaws that put users at risk of phishing attacks.

After British researcher Sam Greenhalgh posted demos of cross-site scripting and script-injection flaws on sites run by MasterCard, Barclaycard, Natwest and WorldPay, the financial firms moved to plug the holes.

MasterCard went as far as removing the "find a card" section of its Web site. The company also fixed its "ATM locator" feature.

Greenhalgh's discovery of the "oversight of some basic security flaws" highlights the security risks faced by financial institutions looking to do business online.

While most phishing attacks typically redirect users to fake Web sites resembling the target site, Greenhalgh found that the new attack scenarios could allow hackers to hijack sensitive financial data from within the bank's Web site, even if SSL security features were being used.

"What makes cross-site scripting vulnerabilities far more dangerous is that the genuine site is itself manipulated to display spurious content, rendering it almost undetectable to the victim," Greenhalgh explained.

"Astonishingly, some of the most potentially sensitive sites on the Internet to this form of exploitation are still openly susceptible. Script injection is easy to protect against. Protecting a Web site against these attacks takes nothing more than a little forethought from its developers."

Netcraft, a firm that offers application testing and code review services, said Greenhalgh's findings will put pressure on the banks to eliminate design flaws for their sites.

"Having the ability to run their code from the financial institution's own site is a big step forward for fraudsters, as it makes their attack much more plausible, and will almost certainly lead fraudsters to seek out banking sites vulnerable to cross-site scripting as a refinement on current phishing attacks," Netcraft said in a note posted online.

"The technique works equally well over SSL, and so offers fraudsters the enticing opportunity of having a phishing attack delivered over SSL with the attacker's code being served as part of a URL from the bona fide bank's own secure server," the note stated.

"Further, if the vulnerable site uses cookies, it may be possible for the fraudster to steal the user's session cookie and hence hijack the user's secure session," Netcraft added.

For MasterCard, the security gaffe comes just one month after the launch of a new anti-phishing initiative. In partnership with digital fraud detection firm NameProtect, MasterCard outlined a new strategy to shut down the scams before they can hurt consumers, rather than trying to catch them after consumers have been duped.