HSBC web sites are open to critical XSS attacks. Warning to customers!

Written by DP

Saturday, 21 June 2008

Evidently, major unwanted consequences could be a result of multiple cross-site scripting vulnerabilities affecting bank web sites. XSS must be considered as the phishers' future weapon by all people working in the security industry.

Scammers can register domains and set up fake bank web sites in a few minutes. With the help of bulk e-mailers they can phish  personal sensitive data from thousands of unsuspecting web users.

If they want to own HSBC's e-banking customers, all they have to do is to register a "suspicious" looking domain like which is currently available and then serve a phishing page.
Even better, they can exploit a cross-site scripting vuln on, obfuscate the attack vector and significantly increase their phishing success rate!

Updated: 23/06/08: XSS notified by Hexspirit XSS notified by Hexspirit XSS notified by sl4xUz XSS notified by Airrox
- XSS notified by PaPPy / unfixed XSS notified by DaiMon / unfixed since 26/05/2008 XSS notified by DaiMon / unfixed since 26/05/2008 XSS notified by Babaconda / unfixed since 25/05/2008 XSS notified by ironzorg / unfixed since 25/04/2008 XSS notified by Venom23 / unfixed since 26/02/2008 XSS notified by Darkster / published on 26/07/2007 - fixed on 12/09/2007 XSS notified by takethis /published on 01/04/2007 - fixed on 21/08/2007

Protect your customers' privacy and security now! Leaving site-specific vulnerabilities open for days, weeks or months, can lead to substantial financial losses! :-/

We suggest that you subscribe your online properties to the XSS early warning mailing list.

Related News (Updated):
"HSBC scripting flaws play into the hands of phishers", John Leyden, The Register, 25 Jun 08
"HSBC sites vulnerable to XSS flaws, could aid phishing attacks", Dancho Danchev, 29 Jun 08

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.