Security Researcher Says Citibank Took A While To 'C2' Security Flaw - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Security Researcher Says Citibank Took A While To 'C2' Security Flaw

Citibank's online cash-payment site,, has fixed a security flaw that would have permitted an attacker to see credit-card numbers, bank-account numbers, and other customer information.

Security researcher Dave Devitry says Citibank's online cash-payment site,, has fixed a security flaw that he claims he privately warned the company about in September. Devitry says he uncovered a cross-site scripting vulnerability. The vulnerability, he says, would enable an attacker to see "credit-card numbers, bank-account numbers, security codes, and other data with no obfuscation."

According to Devitry, the flaw was fixed a few days after he posted his findings on SecurityFocus' Bugtraq vulnerability mailing list.

A Citibank spokeswoman says the company does not comment in detail about security issues. She says she is unaware of when Devitry first contacted Citibank about the vulnerability, and learned of it Monday.

In his alert, Devitry detailed how hackers could gain access to customers' credit and bank information, as well as transfer cash out of their accounts. Devitry says such an attack would be very simple: "Anyone with JavaScript knowledge could create devious code." Citibank's handling of the incident, he claims, demonstrates the need for full disclosure of discovered security vulnerabilities.

Cross-site scripting isn't a new flaw. The federally funded security watchdog group CERT/CC published an alert in February 2000 about the problem.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
IT Employment Trending Up; Data, Cybersecurity Skills in Demand
Jessica Davis, Senior Editor, Enterprise Apps,  11/11/2020
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
How to Approach Your Mission-Critical Big Data Strategy
Mary E. Shacklett, Mary E. Shacklett,  11/17/2020
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll