Hundreds Of Bank Sites Vulnerable To Old RSA Flaw

RSA, EMC’s security division, is advising customers to apply a two-year-old patch for its Adaptive Authentication product after a researcher discovered hundreds of banking Websites are still open to attack.

RSA Adaptive Authentication is a risk-based fraud prevention and authentication platform that measures risk indicators to identify suspicious activities. According to RSA, versions 2.x and 5.7.x of the on-premise edition of the product are vulnerable to cross-site scripting due to a Flash Shockwave file provided by the Adaptive Authentication system.

Two-Year Old Patch Yet To Be Applied

The vulnerability in question was actually patched in 2008, but was brought back into focus recently when Nir Goldshlager, a security consultant with Avnet Technologies, discovered many online banking sites were still vulnerable to attack, something he uncovered after searching for the affected filename in Google. He reported his discovery to RSA in November.

Still, hundreds of sites remain vulnerable, he told eWEEK.

Among the banking sites found to be impacted was the site belonging to the Bank of America, which has since patched the issue. Bank of America spokesperson Tara Burke said the patch was deployed and has proven to be successful.

“We have no evidence that our customers were affected,” she said, adding the company takes all reports of security vulnerabilities seriously and has a Zero Liability programme for customers if they are victimised.

An attacker can exploit this like any other reflected cross-site scripting attack, Goldshlager explained.

“To exploit this, the attacker needs to send the victim a link,” he said. “When the victim clicks the link, the attacker will be able to steal the sessionid from the victim that logged in to the online banking (site).”

According to an advisory on the issue by Secunia, certain input passed to the Shockwave file is not properly sanitised before being returned to the user.

“This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site,” according to Secunia, which rated the vulnerability less than critical.

The vulnerability does not affect 6.x versions, RSA noted in its updated advisory. The company urged customers who have not already deployed the patch to obtain it from RSA SecurCare Online.

“All RSA Adaptive Authentication customers deploy the solution primarily for the risk-based authentication and transaction monitoring, which makes it much more difficult to compromise an online bank account,” a RSA spokesperson told eWEEK.

“In the interest of protecting our customers, RSA cannot divulge the names or number of customers impacted by this issue,” the spokesperson continued. “However, since we reissued the security advisory about this patch to our customers, RSA has received numerous positive responses from customers indicating they are taking action to ensure their RSA Adaptive Authentication on-premise installations are updated.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago