Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

Citibank CitiDirect - forced usage of vulnerable version of Java Runtime Environment

 

 

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


tometzky+fd at gmail

Jul 6, 2010, 11:49 PM

Post #1 of 2 (940 views)
Permalink
Citibank CitiDirect - forced usage of vulnerable version of Java Runtime Environment

Citibank CitiDirect Online Banking is forcing usage of vulnerable
version of Java Runtime Environment.


Vulnerable product information

CitiDirect Online Banking [is a] Citibank's Web-based banking platform.
CitiDirect puts all your corporate banking functions in one
security-protected place, giving you around the globe, centralized
access to your account information in real time right from your desktop.
<https://www.citidirectonline1.citidirect.citicorp.com/web/cda/home.jsp>

CitiDirect® is available in more than 90 countries and in 21 languages.
It has more than 150,000 users within 25,000 corporate clients. [in
2004, now probably many more]
<http://www.citigroup.com/transactionservices/home/about_us/press_room/archives/2004/2004_0203.jsp>


Vulnerability description

CitiDirect requires Java Runtime Environment (JRE) installed on client's
computer and Java plugin enabled in client's browser. But it requires a
"supported version" of Java, a list of which often does not include
latest version for months after release:
Supported JRE Versionse
https://citidirect-eb.citicorp.com/logon/SunVersionHelp.html
It is now over _3_ _months_ after release of Java 6 update 19, with 27
security vulnerabilities fixed:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html
It is still "unsupported" though. And there's now update 20 released,
which closes another vulnerability currently exploited in the wild.

Users of unsupported version of JRE are denied access to online banking
- "The version of Sun Java™ software currently installed on your
computer does not meet the requirements to run CitiDirect® Online Banking".


Impact of vulnerability

Users are forced to use in a browser a version of JRE plugin, that is
vulnerable to publicly known vulnerabilities, with publicly available
exploits.

Also users are trained to ignore notifications from Java about new
versions, as installing it denies them access to their money. It makes
them vulnerable permanently.


Vendor response

I've tried to contact Citibank at least from August 2007.

I wasn't able to find a security contact anywhere on a citigroup.com
pages. I've tried to contact by a web form
https://www.citibank.com/domain/contact/visitor_email/form.htm but
haven't received a response.

So I have contacted phone support for Poland. Their responses were
"entertaining", like:
- we use 256 bit encryption so we are very secure;
- you can use a vulnerable Java, because we will not try to break to
your computer;
- nobody will be able to write an exploit targeting a bank in a few
weeks before a new version of Java is tested and marked supported.


Suggested actions for vendor

Vendor should allow latest and future versions of Java to access the
site. It can display a warning, that this version of Java is not fully
tested for at most a week after a new Java release.

Vendor should also display a prominent warning if it detects a
vulnerable version of Java in client's computer urging him to upgrade.
This way it can at least try to repair damage it did already.


Suggested actions for clients

Change a bank, as Citibank is blatantly ignorant about security. Then
upgrade or uninstall Java as soon as possible.


Suggested actions for others

Do not try to compromise Citibank's clients or employees computers -
it's not their fault that they have to use insecure Java. Pretty please.


Regards
Tomasz "Tometzky" Ostrowski
--
...although Eating Honey was a very good thing to do, there was a moment
just before you began to eat it which was better than when you were...
Winnie the Pooh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


secn3t at gmail

Nov 2, 2011, 4:13 PM

Post #2 of 2 (612 views)
Permalink
Re: Citibank CitiDirect - forced usage of vulnerable version of Java Runtime Environment [In reply to]

Ay i second that one.. biggest group of billionaire thieves known and
seemingly go anonymously by... i would not even serach for theyre
'security' as they would not care ... i doubt...,
2 other banks wich, are pretty blatant thieves also, (by thieves i
mean they do not align to reserve bank rate drops...)...anyhow i tried
to contact 2 to stop some real nasty redirecting spam and, theyre
online form on one was dead, second one i got a thanks but domain
stayd alive, stays alive till today :s
Banks really should start to take security more seriously, ONLY 1
overseas bank for me,w ich was actually i think was Nova Scotia Bank,
was very helpful and did kill spam when it was happening to them..
I guess that is one out of about 5 for me... you just cant tell them
theyre vuln coz, most dont give a shit anyhow until it seems it is to
late ala CBA...
cheers


On 3 November 2011 10:07, coderman <coderman [at] gmail> wrote:
> On Wed, Nov 2, 2011 at 10:04 AM, Tomasz Ostrowski <tometzky [at] gmail> wrote:
>> ...
>> Suggested actions for clients
>>
>> Change a bank, as Citibank is blatantly ignorant about security.
>
> this is good advice for many reasons. citigroup is full of thieves:
>
> http://mobile.nytimes.com/2011/10/30/opinion/sunday/friedman-did-you-hear-the-one-about-the-bankers.xml
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.