Royal Bank of Scotland Fixes Data Theft Flaw
Royal Bank of Scotland Fixes Data Theft Flaw
May 2008 The Royal Bank of Scotland (RBS) has fixed a cross-site scripting flaw in its Worldpay Internet payments service that could have allowed attackers to steal users' credit card details, according to a report. Adam Grit discovered the cross-site scripting (XSS) flaw in a secure payment page of the Worldpay site, RBS' Internet payments service, according to a report from IT industry journal The Register. The flaw allowed third parties to inject content into the page, as Grit demonstrated with a pop-up window reading "Is it safe?" An attacker could have taken advantage of the flaw to inject a false login box and steal user credentials, Grit said. "I have tested this and confirm that unfortunately it does work on the live Worldpay website," Grit wrote in a 29 April email to RBS, quoted in the report. "Potentially, a fraudulent website could send the user to the Worldpay website in order to pay for their purchase, with all of the credit card details being then sent back to the hacker's server." The flaw reportedly remained in place until Monday, a delay of three weeks, but has now been patched. The page affected was protected by an SSL certificate, which industry bodies have said can instill a false sense of security. In newer browsers, SSL-protected sites are downplayed in favour of those using Extended Validation SSL, which requires more thorough validation of the body requesting the certificate. ..Matthew Broersma
Computer and Internet Security news provided here represents global independent resources. The information represented here is © by the stated author.
