Hundreds Of Bank Sites Vulnerable To Old RSA Flaw

Two years on and banks have yet to apply a patch protecting RSA’s Adaptive Authentication platform

RSA, EMC’s security division, is advising customers to apply a two-year-old patch for its Adaptive Authentication product after a researcher discovered hundreds of banking Websites are still open to attack.

RSA Adaptive Authentication is a risk-based fraud prevention and authentication platform that measures risk indicators to identify suspicious activities. According to RSA, versions 2.x and 5.7.x of the on-premise edition of the product are vulnerable to cross-site scripting due to a Flash Shockwave file provided by the Adaptive Authentication system.

Two-Year Old Patch Yet To Be Applied

The vulnerability in question was actually patched in 2008, but was brought back into focus recently when Nir Goldshlager, a security consultant with Avnet Technologies, discovered many online banking sites were still vulnerable to attack, something he uncovered after searching for the affected filename in Google. He reported his discovery to RSA in November.

Still, hundreds of sites remain vulnerable, he told eWEEK.

Among the banking sites found to be impacted was the site belonging to the Bank of America, which has since patched the issue. Bank of America spokesperson Tara Burke said the patch was deployed and has proven to be successful.

“We have no evidence that our customers were affected,” she said, adding the company takes all reports of security vulnerabilities seriously and has a Zero Liability programme for customers if they are victimised.

An attacker can exploit this like any other reflected cross-site scripting attack, Goldshlager explained.

“To exploit this, the attacker needs to send the victim a link,” he said. “When the victim clicks the link, the attacker will be able to steal the sessionid from the victim that logged in to the online banking (site).”

According to an advisory on the issue by Secunia, certain input passed to the Shockwave file is not properly sanitised before being returned to the user.

“This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site,” according to Secunia, which rated the vulnerability less than critical.

The vulnerability does not affect 6.x versions, RSA noted in its updated advisory. The company urged customers who have not already deployed the patch to obtain it from RSA SecurCare Online.

“All RSA Adaptive Authentication customers deploy the solution primarily for the risk-based authentication and transaction monitoring, which makes it much more difficult to compromise an online bank account,” a RSA spokesperson told eWEEK.

“In the interest of protecting our customers, RSA cannot divulge the names or number of customers impacted by this issue,” the spokesperson continued. “However, since we reissued the security advisory about this patch to our customers, RSA has received numerous positive responses from customers indicating they are taking action to ensure their RSA Adaptive Authentication on-premise installations are updated.”