By Dan Goodin in San Francisco
20th August 2009
For the past five months, a website for investment services giant
Ameriprise Financial contained bugs that allowed even low-level
criminals to inject malicious content into official company webpages and
steal user's cookies, according to a web security expert.
The XSS, or cross-site scripting, flaws made it possible for phishers to
send Ameriprise customers bona fide links to the Ameriprise website that
opened pages that intermingled counterfeit content with legitimate text
and graphics. The holes could also allow criminals to steal browser
cookies used to authenticate online accounts.
In the five months since Russ McRee of HolisticInfoSec.org first
identified the bugs, Ameriprise offered customers statements like this
one, which assures visitors that "no one without the proper web browser
configuration can view or modify information contained on our systems."
And yet, not one of the half-dozen warnings McRee sent was answered.
"The reality is that not enough of these companies at that level,
particularly in the financial sector, properly do intake for
vulnerabilities," said McRee. "There should be something on their site
that says 'If you see a security issue on our site, please report it.'"
Subscribe to InfoSec News