informa
/
/
Announcements
Alert
Got some free time? Grow your knowledge from the comfort of your computer for FREE!
Alert
Are you looking to stay on top of IT trends? Check out our FREE webinars and virtual events!
Alert
Planning for 2023? Be sure to check out our upcoming in-person events!
Report
How does your salary stack up? 2022 IT Salary Survey Results Revealed
PreviousNext
IT Life
1 MIN READ
News

Security Researcher Says Citibank Took A While To 'C2' Security Flaw

Citibank's online cash-payment site, C2IT.com, has fixed a security flaw that would have permitted an attacker to see credit-card numbers, bank-account numbers, and other customer information.
InformationWeek Staff
Contributor
January 09, 2002
Security researcher Dave Devitry says Citibank's online cash-payment site, C2IT.com, has fixed a security flaw that he claims he privately warned the company about in September. Devitry says he uncovered a cross-site scripting vulnerability. The vulnerability, he says, would enable an attacker to see "credit-card numbers, bank-account numbers, security codes, and other data with no obfuscation."

According to Devitry, the flaw was fixed a few days after he posted his findings on SecurityFocus' Bugtraq vulnerability mailing list.

A Citibank spokeswoman says the company does not comment in detail about security issues. She says she is unaware of when Devitry first contacted Citibank about the vulnerability, and learned of it Monday.

In his alert, Devitry detailed how hackers could gain access to customers' credit and bank information, as well as transfer cash out of their accounts. Devitry says such an attack would be very simple: "Anyone with JavaScript knowledge could create devious code." Citibank's handling of the incident, he claims, demonstrates the need for full disclosure of discovered security vulnerabilities.

Cross-site scripting isn't a new flaw. The federally funded security watchdog group CERT/CC published an alert in February 2000 about the problem.

Recommended Reading
Loading..
More Insights
White Papers
More White Papers
Webinars
More Webinars
Reports
More Reports
Editor's Choice
January 2023 Global Tech Policy Bulletin: From ChatGPT Musings to Tech Diplomacy in India
Carlo Massimo, Political Reporter and Columnist
What Just Broke?: Twitter to Charge for Basic API Access
Joao-Pierre S. Ruth, Senior Writer
FTC Fines GoodRx $1.5M for Sharing Health Data With Facebook, Google
Brian T. Horowitz, Contributing Reporter
SAP Layoffs: What CIOs Should Know
Brian T. Horowitz, Contributing Reporter
Sustainability Takes Flight in the Travel Industry
Samuel Greengard, Contributing Reporter
Pathways to a More Sustainable Data Center
Nathan Eddy, Freelance Writer
Will Your Company Be Fined in the New Data Privacy Landscape?
Joao-Pierre S. Ruth, Senior Writer
Chaos Engineering: Benefits of Building a Test Strategy
Nathan Eddy, Freelance Writer
Tech Company Layoffs: The COVID Tech Bubble Bursts
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Top 10 Data Science Tools and Technologies
Cynthia Harvey, Freelance Journalist, InformationWeek
Special Report: Privacy in the Data-Driven Enterprise
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
Webinars
More Webinars
White Papers
More White Papers
Live Events
More Live Events
Reports
More Reports
More Insights
White Papers
More White Papers
Webinars
More Webinars
Reports
More Reports