Citibank's critical cross-site scripting vulnerabilities
Written by DP
Saturday, 16 August 2008
DaiMon and mox have discovered two critical XSS flaws on Citibank's website.
The first one is still pending a fix since 03/04/08:
Phishers can display a Citibank phishing page until their victim's session cookie expires or gets deleted (View 2nd screenshot).
The second XSS got published on 06/08/2008 and it affects "Women & Co.", a membership program from Citi:
Both flaws can be exploited by malicious people to conduct phishing attacks with a higher success rate and to infect Citibank's clients with crimeware.
We're hoping they fix them soon.