HSBC plugs hole that exposed site directory

[Frank]

HSBC plugs hole that exposed site directory
John Lewis Partnership site rather too open for comfort

By John Leyden

Posted in Enterprise Security, 29th April 2008 09:49 GMT

Free whitepaper – The shortcut guide to managing certificate lifecycles

HSBC has finally fixed a bug that allowed web surfers to browse the directory structure of a supposedly secure website it helps to run.

The John Lewis Partnership card secure website (a joint venture with HSBC) allowed the curious, and potentially malicious, to peek into its underlying structure

"Great if you were planning a phishing attack and wanted to get a complete site layout and set of assets," as Reg reader Liam notes.

The problem was first drawn to our attention by Reg reader Martin, who came across it when looking at his John Lewis Partnership credit card statement. He told us about the bug back at the start of April.

"I've just tried to look at my John Lewis Partnership credit card statement (operated by HSBC) and was greeted by the directory listing of the website," Martin said at the time. "I doubt there was any very interesting information there, but it shows something is going pretty wrong there." He supplied screenshots to back up his concerns, which we won't republish in case they give miscreants any clues.

The directory problems at the site were one of three information security queries about HSBC we put to the bank early this month. It was able to satisfactorily explain the other two but not immediately deal with the directory browsing, asking for more information, which we didn't immediately have to hand.

It was only when Liam's tip-off came in, prompting fresh inquiries from El Reg, that it zeroed in on the problem.

"Although there is no access to any customer data via this link, there is no reason for the content of John Lewis's website to be available in this format. We are in the process of removing access to the John Lewis Partnership card website from this link," a spokesman for the bank explained.

HSBC has now fixed the bug.

Taken on its own the directory browsing problem is no big deal. But HSBC has had all sorts of problems keeping its e-payments system up and running over recent weeks, for example, to say nothing of the unfortunate incident when it lost customer data in the post or earlier problems in forgetting to renew one of its digital certificates on time.

Recent developments suggest the bank is becoming more committed to making its ecommerce sites more secure, however. The bank has begun using (http://www.verisign.com/press_releases/pr/page_043673.html) extended validation certs from VeriSign; a welcome step in itself, but of course irrelevant to ecommerce merchants who lost money through its ecommerce processing outages. ®

[Singapore]

HSBC, Barclays and The Telegraph sites were found vulnerable to cyber fraud

June 2, 2009 - 3:52pm | author: Petrony | Fraud | News

 

Last week was a week of numerous discoveries of high-profile web vulnerabilities, with discoveries of careless bugs on the sites of three British companies, says the Register. Hackers published the screenshots and other details of online banking sites for HSBC and Barclays Group and the website for The Telegraph that showed all three were susceptible to attacks that could compromise the security of people who visit the properties.

The paper says that the XXS, or cross-site scripting, errors on HSBC were still present on a variety of HSBC sites on Monday afternoon California time, some 48 hours after the XSSed blog first reported them. These flaws allowed hackers to inject javascript and content into HSBC websites simply by tricking a user into clicking on a specially manipulated web address.

According to the researchers Barclays had similar bugs but as of Monday afternoon, they appeared to have been fixed.

Another XSSed report of the HackersBlog revealed details of a SQL injection vulnerability in the main website for The Telegraph. As the Reg reports the vulnerability looked especially severe because it exposed sensitive system files to those who knew how to append database commands to the website address.