HSBC web sites are open to critical XSS attacks. Warning to customers!

Evidently, major unwanted consequences could be a result of multiple cross-site scripting vulnerabilities affecting bank web sites. XSS must be considered as the phishers' future weapon by all people working in the security industry.

Scammers can register domains and set up fake bank web sites in a few minutes. With the help of bulk e-mailers they can phish personal sensitive data from thousands of unsuspecting web users.

If they want to own HSBC's e-banking customers, all they have to do is to register a "suspicious" looking domain like hscsbc.com which is currently available and then serve a phishing page.
Even better, they can exploit a cross-site scripting vuln on hsbc.com, obfuscate the attack vector and significantly increase their phishing success rate!

Updated: 23/06/08:
www.investdirect.hsbc.gr XSS notified by Hexspirit
www.investdirect.hsbc.gr XSS notified by Hexspirit
www.hsbc.com.sv XSS notified by sl4xUz
www.hsbc.com XSS notified by Airrox
-
www.hsbc.co.uk XSS notified by PaPPy / unfixed
www.hsbc.com.tr XSS notified by DaiMon / unfixed since 26/05/2008
www.hbeu1.hsbc.com XSS notified by DaiMon / unfixed since 26/05/2008
www.hsbc.com.tr XSS notified by Babaconda / unfixed since 25/05/2008
www.hsbcprivatebankfrance.com XSS notified by ironzorg / unfixed since 25/04/2008
www.hsbc.fi.cr XSS notified by Venom23 / unfixed since 26/02/2008
www.hsbc.com XSS notified by Darkster / published on 26/07/2007 - fixed on 12/09/2007
monavenir.hsbc.fr XSS notified by takethis /published on 01/04/2007 - fixed on 21/08/2007

Protect your customers' privacy and security now! Leaving site-specific vulnerabilities open for days, weeks or months, can lead to substantial financial losses! :-/

We suggest that you subscribe your online properties to the XSS early warning mailing list.

Related News (Updated):
"HSBC scripting flaws play into the hands of phishers", John Leyden, The Register, 25 Jun 08

[Source: xssed]

0 comments