TOPIC: Bank Of America Online Banking Website Vulnerable to Reauthentication of Logged Out Sessions DATE: 9-13-2001 FOUND BY: Brad Will STATUS: Bank of America's Customer Service and Technical Support were notified in 8/1/2001. Both replied with canned "this will be forwarded to the appropriate parties" responses. DESCRIPTION: Users of the Bank of America Online Banking website are vulnerable to a basic web security hole. After logging the current session out, a user can back up to a cached page (https://onlineid.bankofamerica.com/cgi- bin/sso.login.controller) in their browser's history. (This is most easily reproduced in Netscape. In MSIE, the user will more than likely be automatically redirected to another page.) Once on this page, the user can press the "refresh" button in their browser. This will repost the login credentials from the previous login, creating a new session, and logging the user in to the site. FIX: There are numerous ways to solve this problem. One common method is to insert a hidden field containing a number into the HTML. Then, this number is tied to a specific session. If the session has already been logged out, when the form is reposted, the hidden value will have already been used, and access is not allowed.
