Cross Site Scripting Holes / Insecure Logins / Banking Security
Last update: May 29, 2009 (Over 8 years after this site was created, and still some sites with such basic problems)
These sample links will alert you with your cookie
information from the site. If the site fixes the problem, there will
be no alert for Cross Site Scripting problems. For insecure logins, the site should redirect you to https or not show the login form. To best see what information is vulnerable, First, go
to the site and login, then come back and see what info is alerted.
As you can see, these are some of the top sites on the internet. We
have not tested every site on the internet. Test the sites you use,
if you find a hole, let us
know. If your site is on here, fix the hole, then let us
In the news: Bank Sites Still Driven by Marketers
3 out of 4 banking sites suffer from basic security flaws found a University of Michigan Study
Top Banking Flaws:
- Important Unsecured Pages
- XSS Vulnerabilites
- Improper Emailing
- Improper session handling
What can you do?
1. Always login to your financial accounts on a secure (https) page
2. File a complaint with the government agency appropriate for the bank.
3. If you are a reporter or other person in with a blog, MAKE SOME NOISE! This needs attention to get fixed!
1. If the bank has the word National or the letters N.A. in its title, the complaint should be sent to Comptroller of the Currency, Customer Assistance Group, 1301 McKinney Street, Suite 3710, Houston TX 77010, 1 (800) 613-6743.
2. A complaint about a state-chartered bank that is a member of the Federal Reserve System should be sent to the Board of Governors of the Federal Reserve System, Director, Division of Consumer and Community Affairs, Washington, D.C. 20551, (202) 452-3693. http://www.federalreserve.gov/feedback.cfm
3. Complaints regarding state-chartered, federally insured banks that are not members of the Federal Reserve System should be sent to the Office of Bank Customer Affairs, Federal Deposit Insurance Corporation, Washington, D.C. 20429, 1 (800) 934-3342.
4. Complaints about federal-chartered savings banks should be sent to the Office of Thrift Supervision, Division of Consumer Affairs, Washington, DC 20552, 1 (800) 842-6929.
The banks listed because of insecure login place login data on an insecured, non https page. They often make it worse by placing a lock icon next to the login form. Do not trust lock icons on webpages! Always check your browser's lock icon, or select page info to see if the page is truely secure. Never type in your login information on an insecure webpage (even if it's submitting to a secure page see my example of a hacked action field). This type of login can easily be hijacked, proxied, or otherwise intercepted. More on Spoofing
Banks should also list any contact information or other sensitive information where financial data is exchanged on secure sites. Users should not trust any content on any page that is not https.
Please report any other banks or websites with insecured (http) login forms using my email ( david at this domain ) .