RSA, EMC’s security division, is advising customers to apply a two-year-old patch for its Adaptive Authentication product after a researcher discovered hundreds of banking Websites are still open to attack.
RSA Adaptive Authentication is a risk-based fraud prevention and authentication platform that measures risk indicators to identify suspicious activities. According to RSA, versions 2.x and 5.7.x of the on-premise edition of the product are vulnerable to cross-site scripting due to a Flash Shockwave file provided by the Adaptive Authentication system.
Still, hundreds of sites remain vulnerable, he told eWEEK.
Among the banking sites found to be impacted was the site belonging to the Bank of America, which has since patched the issue. Bank of America spokesperson Tara Burke said the patch was deployed and has proven to be successful.
“We have no evidence that our customers were affected,” she said, adding the company takes all reports of security vulnerabilities seriously and has a Zero Liability programme for customers if they are victimised.
An attacker can exploit this like any other reflected cross-site scripting attack, Goldshlager explained.
“To exploit this, the attacker needs to send the victim a link,” he said. “When the victim clicks the link, the attacker will be able to steal the sessionid from the victim that logged in to the online banking (site).”
According to an advisory on the issue by Secunia, certain input passed to the Shockwave file is not properly sanitised before being returned to the user.
“This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site,” according to Secunia, which rated the vulnerability less than critical.
The vulnerability does not affect 6.x versions, RSA noted in its updated advisory. The company urged customers who have not already deployed the patch to obtain it from RSA SecurCare Online.
“All RSA Adaptive Authentication customers deploy the solution primarily for the risk-based authentication and transaction monitoring, which makes it much more difficult to compromise an online bank account,” a RSA spokesperson told eWEEK.
“In the interest of protecting our customers, RSA cannot divulge the names or number of customers impacted by this issue,” the spokesperson continued. “However, since we reissued the security advisory about this patch to our customers, RSA has received numerous positive responses from customers indicating they are taking action to ensure their RSA Adaptive Authentication on-premise installations are updated.”
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…