MasterCard, Others Plug Script Injection Leak

Credit card giant MasterCard was among a slew of online financial
institutions rushing to fix Web site design flaws that put users at risk of
phishing attacks.

After British researcher Sam Greenhalgh posted
demos of cross-site scripting and script-injection flaws on sites run by
MasterCard, Barclaycard, Natwest and WorldPay, the financial firms moved to
plug the holes.

MasterCard went as far as removing the “find a card” section of its
Web site. The company also fixed its “ATM locator” feature.

Greenhalgh’s discovery of the “oversight of some basic security flaws”
highlights the security risks faced by financial institutions looking to do
business online.

While most phishing attacks typically redirect users to
fake Web sites resembling the target site, Greenhalgh found that the new
attack scenarios could allow hackers to hijack sensitive financial data from
within the bank’s Web site, even if SSL security features were
being used.

“What makes cross-site scripting vulnerabilities far more dangerous is
that the genuine site is itself manipulated to display spurious content,
rendering it almost undetectable to the victim,” Greenhalgh explained.

“Astonishingly, some of the most potentially sensitive sites on the
Internet to this form of exploitation are still openly susceptible. Script
injection is easy to protect against. Protecting a Web site against these
attacks takes nothing more than a little forethought from its
developers.”

Netcraft, a firm that offers application testing and code review
services, said Greenhalgh’s findings will put pressure on the banks to
eliminate design flaws for their sites.

“Having the ability to run their
code from the financial institution’s own site is a big step forward for
fraudsters, as it makes their attack much more plausible, and will almost
certainly lead fraudsters to seek out banking sites vulnerable to cross-site
scripting as a refinement on current phishing attacks,” Netcraft said in a
note posted online.

“The technique works equally well over SSL, and so offers fraudsters the
enticing opportunity of having a phishing attack delivered over SSL with the
attacker’s code being served as part of a URL from the bona fide bank’s own
secure server,” the note stated.

“Further, if the vulnerable site uses cookies, it may be possible for the
fraudster to steal the user’s session cookie and hence hijack the user’s
secure session,” Netcraft added.

For MasterCard, the security gaffe comes just one month after the launch
of a new anti-phishing initiative.
In partnership with digital fraud detection firm
NameProtect, MasterCard outlined a new strategy to shut down the scams
before they can hurt consumers, rather than trying to catch them after
consumers have been duped.