Security researcher Dave Devitry says Citibank's online cash-payment site, C2IT.com, has fixed a security flaw that he claims he privately warned the company about in September. Devitry says he uncovered a cross-site scripting vulnerability. The vulnerability, he says, would enable an attacker to see "credit-card numbers, bank-account numbers, security codes, and other data with no obfuscation."

According to Devitry, the flaw was fixed a few days after he posted his findings on SecurityFocus' Bugtraq vulnerability mailing list.

A Citibank spokeswoman says the company does not comment in detail about security issues. She says she is unaware of when Devitry first contacted Citibank about the vulnerability, and learned of it Monday.

In his alert, Devitry detailed how hackers could gain access to customers' credit and bank information, as well as transfer cash out of their accounts. Devitry says such an attack would be very simple: "Anyone with JavaScript knowledge could create devious code." Citibank's handling of the incident, he claims, demonstrates the need for full disclosure of discovered security vulnerabilities.

Cross-site scripting isn't a new flaw. The federally funded security watchdog group CERT/CC published an alert in February 2000 about the problem.