C2IT.com Security Holes

Summary
  CitiBank's online cash site, C2IT.com, has substantial vulnerabilities
  to Cross Site Scripting.  The site is similar to PayPal in that it 
  lets users attach Bank and Credit Card account to this online system. 
  Users can then "send" cash to any user via their email address.  
  The site leaves nearly every form field unfiltered.  The site also
  displays credit card numbers, bank account numbers, security codes
  and other data with no obfuscation.  This info is then available to
  javascript through cross site scripting.   Citibank was notified 3s
  months ago about problems with their sites and many times since, 
  however, no noticeable actions have been taken yet.  
  
  This alert documents two sample attacks:  
  -Gaining access to user's credit card and bank account numbers
  -Scripting cash transfers out of users accounts

  UPDATE:  While these specific C2IT flaws have been fixed, 
    there are still other CitiBank flaws listed on 
    The List.  In addition, they still  skip BASIC 
    SECURITY 101 tips like obfuscating Credit Card numbers.  
	
	The rest of this document is now here only for historical 
	purposes and for educating people what has been done with 
    the simple CSS flaw.  
  
Background  

 CERT alerted to Cross Site Scripting over a year ago and gave 
  many specific recommendations on how to prevent such attacks.
 http://www.cert.org/advisories/CA-2000-02.html
 
 Public warning from me regarding Citibank and other sites
 http://www.devitry.com/security.html

 Citibank seems to think their site is pretty secure
 https://www.c2it.com/C2IT/privacypromise.jsp#security
 
 
!!!! Warning: !!!! 
  Do not attempt to steal anyone's hard earned money.  I'm
  sure that C2IT can now identify anyone attempting to use
  these exploits.  This code is provided only to show what
  is theoretically possible through these Cross Site Scripting
  holes and to let web site developers to know what to look
  for in to future when developing sites.

Alert User's Account Numbers (Credit Card / Bank account)

 Description:  Bank and Credit Card account numbers that are 
  attached to the users C2IT account are hidden in the SendCash
  form.  The are accessible by javascript and by Cross Site Scripting.
  This code can be passed to the ACCOUNT input variable and escaped
  by "> .. The script sets a time out so that the full form can load.
  It then access the SRC_ACCOUNT form field which has an array of 
  bank/credit card numbers in it.

 Page Location:  https://www.c2it.com/C2IT/SendCash
  
 Vulnerable Variable:  AMOUNT

 Pre-Req:  User must be logged it and have attached account.
 
 Sample Script:  
    <script>
      setTimeout("alert(document.forms[0].SRC_ACCOUNT.options[1].value)", 400);
    </script>

  Additional info:  The whole list of that user's account numbers could be 
  sent to another site using document.location.  The credit card 
  expiration date and 3 digit security code(!!!) are on the edit 
  account nickname page. 

	
Automatically Transfer Cash out of Account.

  Description:  Forms and actions on the site can be scripted through
  the Cross Site Scripting hole.  One thing to script is the Send Cash
  function that lets one send money to any email address.  This script
  populates the send cash form with email address and amount to send.
  (source account could also be selected, by default it comes out of 
   C2IT account). The script then confirms the action. 
  
  Page Location:  https://www.c2it.com/C2IT/SendCash
   
  Vulnerable Variable:  AMOUNT
	
  Pre-Req:  User must be logged it and have cash or credit card attached.
	 
  Sample Script:  
   <script>
     w=window.open("SendCash", "s","");
     setTimeout("f=w.document.forms[0];f.DEST_EMAIL.value='u@you.com';
     f.AMOUNT.value=10;f.submit();",15000);
     setTimeout("w.document.forms[0].submit();", 15000);
   </script>


   Additional info:  
	This could also be called from a dozen other pages / variables
	on the site.  
	
Covering your tracks

	Description:  A full attack may include ways to mask actions that have
	occurred.  C2IT's transaction history page can also be corrupted with
	non escaped HTML characters.   In the above transfer simply adding
	some HTML to the NOTE_TO_SELF field would show up on the users 
	transaction history log in an "A HREF"!  A simple "> escape that, and
	html could be used to obscure other info on the page.  HTML code is 
	left to your imagination.
	
Recommendations	
	
	Citibank: Citibank should shutdown C2IT.com until all
	Cross Site Scripting holes can be removed and the site can
	be reprogrammed so that it doesn't expose sensitive account
	information  (credit card numbers, bank account numbers and 
	security codes) 
	
	Users:  Users should not use C2IT.com until the problems
	are fixed.  If they must use the site, the should ensure that
	no other browser windows or email readers are open, and they 
	should make sure they logout when finished.
	
Conclusions
	
	The good news is that simple updates to C2IT.com can completely
	fix their site.  They should also be able to track any accesses 
	to their system.  The bad news is that this attack is very simple
	and anyone with javascript knowledge could create devious code.
	In addition, many other sites online still have not fixed 
	their Cross Site Scripting problems and could be vulnerable to 
	similar attacks.