Learn IT strategies from the 500 most innovative companies in North America. Get the InformationWeek 500 Analytics Report FREE today!

Welcome Guest. | Log In| Register | Membership Benefits

Security Researcher Says Citibank Took A While To 'C2' Security Flaw

Citibank's online cash-payment site, C2IT.com, has fixed a security flaw that would have permitted an attacker to see credit-card numbers, bank-account numbers, and other customer information.

By George V. Hulme
InformationWeek
January 9, 2002 12:00 AM

Security researcher Dave Devitry says Citibank's online cash-payment site, C2IT.com, has fixed a security flaw that he claims he privately warned the company about in September. Devitry says he uncovered a cross-site scripting vulnerability. The vulnerability, he says, would enable an attacker to see "credit-card numbers, bank-account numbers, security codes, and other data with no obfuscation."

According to Devitry, the flaw was fixed a few days after he posted his findings on SecurityFocus' Bugtraq vulnerability mailing list.

More Software Insights

White Papers

Webcasts

Reports

A Citibank spokeswoman says the company does not comment in detail about security issues. She says she is unaware of when Devitry first contacted Citibank about the vulnerability, and learned of it Monday.

In his alert, Devitry detailed how hackers could gain access to customers' credit and bank information, as well as transfer cash out of their accounts. Devitry says such an attack would be very simple: "Anyone with JavaScript knowledge could create devious code." Citibank's handling of the incident, he claims, demonstrates the need for full disclosure of discovered security vulnerabilities.

Cross-site scripting isn't a new flaw. The federally funded security watchdog group CERT/CC published an alert in February 2000 about the problem.

Subscribe to RSS

» Write To Editor
» Reprint This Article
» Download Top Reports

CAREER CENTER

Ready to take that job and shove it?
Open | Close

Post Your Resume

Employers Area

News & Features

Blogs & Forums

Career Resources

Browse By:
State | City

SPONSOR

RECENT JOB POSTINGS

Featured Jobs:

Videology Imaging seeking Software Architect in Greenville, RI

Beyond.com seeking Database Developers in King of Prussia, PA

Mentor Graphics seeking Sr. Director of Sales in San Jose, CA

Mesalands Community College seeking Comp Sci Instructor in Tucumcari, NM

Sectoral Asset Management seeking IT Manager in Montreal, QC

For more great jobs, career-related news, features and services, please visit our Career Center.

CAREER NEWS

10 Search Engines You Don't Know About

Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Yahoo Profits Fall 23%, Cuts 1,000 Jobs

Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.

Featured Software White Paper

Green IT: The Next Priority for Enterprise Data Centers
Green IT is a label for a movement in the IT industry to solve these problems through hardware and software advancements, efficient data center design and best practices. This eBook covers the primary issues facing Green IT today and tomorrow. read more