Citibank's critical cross-site scripting vulnerabilities

Written by DP

Saturday, 16 August 2008

DaiMon and mox have discovered two critical XSS flaws on Citibank's website.

The first one is still pending a fix since 03/04/08: XSS:

Phishers can display a Citibank phishing page until their victim's session cookie expires or gets deleted (View 2nd screenshot).



The second XSS got published on 06/08/2008 and it affects "Women & Co.", a membership program from Citi:

Both flaws can be exploited by malicious people to conduct phishing attacks with a higher success rate and to infect Citibank's clients with crimeware.

We're hoping they fix them soon.

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.