By Matthew Broersma
21 May 2008
The Royal Bank of Scotland (RBS) has fixed a cross-site scripting flaw
in its Worldpay Internet payments service that could have allowed
attackers to steal users' credit card details, according to a report.
Adam Grit discovered the cross-site scripting (XSS) flaw in a secure
payment page of the Worldpay site, RBS' Internet payments service,
according to a report from IT industry journal The Register.
The flaw allowed third parties to inject content into the page, as Grit
demonstrated with a pop-up window reading "Is it safe?"
An attacker could have taken advantage of the flaw to inject a false
login box and steal user credentials, Grit said.
"I have tested this and confirm that unfortunately it does work on the
live Worldpay website," Grit wrote in a 29 April email to RBS, quoted in
the report. "Potentially, a fraudulent website could send the user to
the Worldpay website in order to pay for their purchase, with all of the
credit card details being then sent back to the hacker's server."
The flaw reportedly remained in place until Monday, a delay of three
weeks, but has now been patched.
The page affected was protected by an SSL certificate, which industry
bodies have said can instill a false sense of security.
In newer browsers, SSL-protected sites are downplayed in favour of those
using Extended Validation SSL, which requires more thorough validation
of the body requesting the certificate.
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com