Re: [Full-disclosure] Wachovia Bank website sends confidential information

[Bob Toxen]

Wachovia Bank's Web Security people did phone me late yesterday to thank
me for raising the security issue.  They also stated that they were
investigating why my initial contacts with Wachovia did not result in
an appropriate response.

They said that they also were working with their legal people to determine
what notification to consumers, if any, was required due to the California
data breach law and similar laws elsewhere.

It was not made clear whether their phone call (and their correction
of the web page) was directly due to my posting on the Full-disclosure
list or because Steve Ragan saw my posting and contacted Wachovia.


For those who questioned whether I made sufficient attempts to contact
them, please note that I talked by phone both with customer support and
web support people and then FAXed the details to the web support person
who took my call.  Note that I bothered with this at all as a courtesy
to Wachovia.  Nobody paid me for my time.

For those who questioned whether I gave them sufficient time to react,
I stated in my FAX to them, in effect, that all they had to do within
7 days was to respond to the FAX and ask for more time to deal with
the problem.  I then waited 15 days, not 7, before posting on FD after
having received no response and seeing that the problem remained.

For those who questioned my motives and suggested that I deliberately
did not make sufficient effort to contact them, well, I detailed my
3 contacts above and then got no response for 15 days.  For those who
suggested I was motivated by fame, well, I already have that.  I won't
blow my horn here but anyone is welcome to do a Google search on me.

Wachovia has fixed the problem.  They are working to ensure that future
advisories are handled properly.  Thanks to all who responded.  Shall we
put this matter to bed?

Bob Toxen,
Horizon Network Security
http://www.verysecurelinux.com   [Network  Linux/Unix Security Consulting]
http://www.realworldlinuxsecurity.com [Our 5* book: Real World Linux Security]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Wachovia Bank website sends confidential information

[Bob Toxen]

On Tue, Jul 10, 2007 at 09:39:33PM -0400, Jim Popovitch wrote:
 On Tue, 2007-07-10 at 20:20 -0400, Bob Toxen wrote:
  VI. VENDOR RESPONSE

  The vendor (Wachovia Bank) was notified via their customer service
  phone number on June 25.  We were transferred to web support.  The
  person answering asked us to FAX the details to her and we did so,
  also on June 25.  We explained that we were reporting a severe
  security problem on their web site.

 Severe?  All that seems to be leaked is a person's Name/Address/SSN
 number and some other details.  While this is too much info to leak, I'd
 hardly say it's severe.   That same info can be easily found in people's
 mailboxes weekdays between noon and 4pm.
Leaking a SSN is considered serious.  My use of the term severe was
to get their attention.

  We stated that that if we did not hear back from them within 7 days and
  the problem was not fixed by then that we would post the problem on the
  Full Disclosure list, following accepted industry practice.

 7 days?   industry practice?   Come on Bob I know you know that large
 corporations can't feed a cat in 7 days let alone make unscheduled
 website changes that fast.  Change control approvals alone would include
 14 or more days in most enterprises.   Why the rush to say so?
Please read my posting more carefully.  I stated that if I did not
hear back within 7 days and the problem persisted then I would disclose
it.  All they had to do was to ask for more time and I would have granted
any reasonable extension.  Instead, it appears that they ignored my
report; discouraging that is what Full Disclosure is all about, IMO.

I think that that web page should have been shut down within the
hour as any competent web person could have confirmed the leak with
a few minutes' inspection of the page source.

 -Jim P.
Bob

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Wachovia Bank website sends confidential information

[Bob Toxen]

On Wed, Jul 11, 2007 at 12:38:54PM -0400, Steve Ragan wrote:
 The link now redirects to an HTTPS page
Thanks Steve.

This proves the value of Full Disclosure.

This seems to have changed within a few hours of my posting to Full
Disclosure rather than in the several weeks after I first alerted it.
Note that Wachovia still has not subsequently contacted me to thank me,
acknowledge my work, or to threaten me.

Yes, the page that consumers can get to by navigating Wachovia's web site
(or in response to the paper mail Wachovia sent out) now is the
following, which posts using https to provide strong encryption:

  https://www.wachovia.com/personal/forms/privacy_optout

It has comments with time-stamps of late yesterday, after I disclosed
on the list:

 !-- Vignette V6 Tue Jul 10 19:28:33 2007 --


I do note that the existing URL:

 http://www.wachovia.com/personal/forms/privacy_optout

still exists and is accessible.

That http page still appears to post the SSN, etc. unencrypted.
Clearly, someone needs to delete the old page or only allow it as https.
Of course, this is a very minor issue as there is no way for a consumer
trip over this page accidentally.

I wonder if Wachovia will follow the California state breach security
policy.


Bob


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Bob Toxen
 Sent: Tuesday, July 10, 2007 8:20 PM
 To: full-disclosure@lists.grok.org.uk
 Subject: [Full-disclosure] Wachovia Bank website sends confidential
 information
 
 Wachovia Bank website sends confidential information (social security
 numbers, phone number, address, etc.) over the Internet without encryption.
 
 Horizon Network Security Security Advisory 07/10/2007
 http://VerySecureLinux.com/ Jul 10, 2007
 
 I. BACKGROUND
 
 Wachovia Bank's official web site offers the following URL to allow its
 customers to change their privacy preferences:
 
  http://www.wachovia.com/privacy
 
 Wachovia also notified its customers by U.S. Mail that they can use that
 same URL besides.
 
 That URL has a link to the following to actually change one's
 preferences:
 
  http://www.wachovia.com/personal/forms/privacy_optout
 
 Unfortunately, that page appears to be an ordinary HTML form whose filled
 out data then is transmitted via the post method to an http (not https)
 URL.
 
 III. ANALYSIS
 
 We inspected the page's source via our Opera browser.  (We did not sniff the
 web traffic so we are not absolutely sure that there is not some hidden
 encryption method, though there appears to be none.)
 
 IV. DETECTION
 
 It is trivial to inspect the page source or sniff the data to demonstrate
 the problem.  The problem has not been corrected.
 
 V. WORKAROUND
 
 Use a method other than their web site to exercise one's preferences.
 
 VI. VENDOR RESPONSE
 
 The vendor (Wachovia Bank) was notified via their customer service phone
 number on June 25.  We were transferred to web support.  The person
 answering asked us to FAX the details to her and we did so, also on June 25.
 We explained that we were reporting a severe security problem on their web
 site.
 
 We stated that that if we did not hear back from them within 7 days and the
 problem was not fixed by then that we would post the problem on the Full
 Disclosure list, following accepted industry practice.
 
 To date we have received no response and the problem remains unfixed.
 
 VII. CVE INFORMATION
 
 There is no CVE number.
 
 VIII. DISCLOSURE TIMELINE
 
 06/25/2007  Initial vendor notification
 06/25/2007  Vendor requested FAXed details
 06/25/2007  Details FAXed to vendor
 
 07/20/2007  No vendor response
 07/20/2007  Public disclosure on this Full Disclosure list
 
 IX. CREDIT
 
 This problem was discovered by Bob Toxen, one of our engineers.
 
 X. LEGAL NOTICES
 
 Copyright C 2007 Horizon Network Security.  All rights reserved.
 
 Permission is granted for the redistribution of this alert electronically.
 It may not be edited without the express written consent of Horizon Network
 Security.  If you wish to reprint the whole or any part of this alert in any
 other medium other than electronically, please e-mail
 [EMAIL PROTECTED] for permission.
 
 Disclaimer: The information in the advisory is believed to be accurate at
 the time of publishing, based on currently available information.  Use of
 the information constitutes acceptance for use in an AS IS condition and
 waiving of the right to any action against Horizon Network Security or its
 employees or contractors.
 
 There are no warranties with regard to this information.  Neither the author
 nor the publisher accepts any liability for any direct, indirect, or
 consequential loss or damage arising from use of, or reliance on, this
 information.
 
 We believe Wachovia Bank is obligated by California's security breach
 disclosure laws to notify its California customers who may have used this
 form and the State of California.  Other jurisdictions also may have