Welcome Guest. | Log In| Register | Membership Benefits

Security Researcher Says Citibank Took A While To 'C2' Security Flaw

Citibank's online cash-payment site, C2IT.com, has fixed a security flaw that would have permitted an attacker to see credit-card numbers, bank-account numbers, and other customer information.

By George V. Hulme
InformationWeek
January 9, 2002 12:00 AM

Security researcher Dave Devitry says Citibank's online cash-payment site, C2IT.com, has fixed a security flaw that he claims he privately warned the company about in September. Devitry says he uncovered a cross-site scripting vulnerability. The vulnerability, he says, would enable an attacker to see "credit-card numbers, bank-account numbers, security codes, and other data with no obfuscation."

According to Devitry, the flaw was fixed a few days after he posted his findings on SecurityFocus' Bugtraq vulnerability mailing list.

A Citibank spokeswoman says the company does not comment in detail about security issues. She says she is unaware of when Devitry first contacted Citibank about the vulnerability, and learned of it Monday.

In his alert, Devitry detailed how hackers could gain access to customers' credit and bank information, as well as transfer cash out of their accounts. Devitry says such an attack would be very simple: "Anyone with JavaScript knowledge could create devious code." Citibank's handling of the incident, he claims, demonstrates the need for full disclosure of discovered security vulnerabilities.

Cross-site scripting isn't a new flaw. The federally funded security watchdog group CERT/CC published an alert in February 2000 about the problem.

Subscribe to RSS

» E-Mail
» Print
» Write To Editor
» Discuss
» Del.icio.us
» Digg
» Slashdot
» Reprint This Article
» Download Top Reports

CAREER CENTER

Ready to take that job and shove it?
Open | Close

Post Your Resume

Employers Area

News & Features

Blogs & Forums

Career Resources

Browse By:
State | City

SPONSOR

RECENT JOB POSTINGS

Featured Jobs:

ISIS Papyrus America seeking Software Pre-Sales Analyst in Southlake, TX

Agilent Technologies seeking Business Manager in Bangalore, IN

Covidien seeking Principal Validation Test in Boulder, CO

T-Mobile seeking Unified Subscriber Database Engr in Bellevue, WA

20th Century Fox seeking Sr. Production Software Engineer in Los Angeles, CA

For more great jobs, career-related news, features and services, please visit our Career Center.

CAREER NEWS

10 Search Engines You Don't Know About

Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Yahoo Profits Fall 23%, Cuts 1,000 Jobs

Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.

Featured Software White Paper

Managing Business Service Performance in a Virtual Environment
Virtualization is proven to deliver many IT goals - such as server consolidation - but it is increasingly being used to deliver specific business service goals. By integrating virtualization... read more

The Latest News

Subscription Info
Apply for a free 52-week subscription to InformationWeek (a $199 value)

Last Name:

First Name:

Title:

Company Name:

City:

Business Address:

Zip:

State:

Email Address:

NOTE: Offer valid for U.S., U.S. possessions, & Canada only

InformationWeek

Business Innovation Powered By Technology

Security Researcher Says Citibank Took A While To 'C2' Security Flaw

Featured Software White Paper

The Latest News

Subscription InfoApply for a free 52-week subscription to InformationWeek (a $199 value)

Subscription Info
Apply for a free 52-week subscription to InformationWeek (a $199 value)