C2IT.com Security Holes

  CitiBank's online cash site, C2IT.com, has substantial vulnerabilities
  to Cross Site Scripting.  The site is similar to PayPal in that it 
  lets users attach Bank and Credit Card account to this online system. 
  Users can then "send" cash to any user via their email address.  
  The site leaves nearly every form field unfiltered.  The site also
  displays credit card numbers, bank account numbers, security codes
  and other data with no obfuscation.  This info is then available to
  javascript through cross site scripting.   Citibank was notified 3s
  months ago about problems with their sites and many times since, 
  however, no noticeable actions have been taken yet.  
  This alert documents two sample attacks:  
  -Gaining access to user's credit card and bank account numbers
  -Scripting cash transfers out of users accounts

  UPDATE:  While these specific C2IT flaws have been fixed, 
    there are still other CitiBank flaws listed on 
    The List.  In addition, they still  skip BASIC 
    SECURITY 101 tips like obfuscating Credit Card numbers.  
	The rest of this document is now here only for historical 
	purposes and for educating people what has been done with 
    the simple CSS flaw.  

 CERT alerted to Cross Site Scripting over a year ago and gave 
  many specific recommendations on how to prevent such attacks.
 Public warning from me regarding Citibank and other sites

 Citibank seems to think their site is pretty secure
!!!! Warning: !!!! 
  Do not attempt to steal anyone's hard earned money.  I'm
  sure that C2IT can now identify anyone attempting to use
  these exploits.  This code is provided only to show what
  is theoretically possible through these Cross Site Scripting
  holes and to let web site developers to know what to look
  for in to future when developing sites.

Alert User's Account Numbers (Credit Card / Bank account)

 Description:  Bank and Credit Card account numbers that are 
  attached to the users C2IT account are hidden in the SendCash
  form.  The are accessible by javascript and by Cross Site Scripting.
  This code can be passed to the ACCOUNT input variable and escaped
  by "> .. The script sets a time out so that the full form can load.
  It then access the SRC_ACCOUNT form field which has an array of 
  bank/credit card numbers in it.

 Page Location:  https://www.c2it.com/C2IT/SendCash
 Vulnerable Variable:  AMOUNT

 Pre-Req:  User must be logged it and have attached account.
 Sample Script:  
      setTimeout("alert(document.forms[0].SRC_ACCOUNT.options[1].value)", 400);

  Additional info:  The whole list of that user's account numbers could be 
  sent to another site using document.location.  The credit card 
  expiration date and 3 digit security code(!!!) are on the edit 
  account nickname page. 

Automatically Transfer Cash out of Account.

  Description:  Forms and actions on the site can be scripted through
  the Cross Site Scripting hole.  One thing to script is the Send Cash
  function that lets one send money to any email address.  This script
  populates the send cash form with email address and amount to send.
  (source account could also be selected, by default it comes out of 
   C2IT account). The script then confirms the action. 
  Page Location:  https://www.c2it.com/C2IT/SendCash
  Vulnerable Variable:  AMOUNT
  Pre-Req:  User must be logged it and have cash or credit card attached.
  Sample Script:  
     w=window.open("SendCash", "s","");
     setTimeout("w.document.forms[0].submit();", 15000);

Additional info: This could also be called from a dozen other pages / variables on the site. Covering your tracks Description: A full attack may include ways to mask actions that have occurred. C2IT's transaction history page can also be corrupted with non escaped HTML characters. In the above transfer simply adding some HTML to the NOTE_TO_SELF field would show up on the users transaction history log in an "A HREF"! A simple "> escape that, and html could be used to obscure other info on the page. HTML code is left to your imagination. Recommendations Citibank: Citibank should shutdown C2IT.com until all Cross Site Scripting holes can be removed and the site can be reprogrammed so that it doesn't expose sensitive account information (credit card numbers, bank account numbers and security codes) Users: Users should not use C2IT.com until the problems are fixed. If they must use the site, the should ensure that no other browser windows or email readers are open, and they should make sure they logout when finished. Conclusions The good news is that simple updates to C2IT.com can completely fix their site. They should also be able to track any accesses to their system. The bad news is that this attack is very simple and anyone with javascript knowledge could create devious code. In addition, many other sites online still have not fixed their Cross Site Scripting problems and could be vulnerable to similar attacks.
If you don't get it,
infigon is a play on "info going."
Yes, your information will travel with these vulnerabilities!