Wednesday, December 03, 2008

Online Finance Flaw: TIAA-CREF XSS & Potential CSRF

Update 12/4/08: TIAA-CREF has made appropriate repairs, and is no longer vulnerable to common XSS in the search.jsp script. I applaud their responsiveness.

Before discussing a TIAA-CREF security flaw, allow me to clarify my "terms of engagement".
Prior to offering analysis of any security flaws in online financial services, be assured I have engaged the service provider and offered what I believe to a reasonable amount of time to remedy this issue. Specifically, a minimum of two weeks and three unique contact attempts are made. Should the vendor offer a timeline in which the issue will be resolved, so long as it is not months or years, I will wait until they are ready to deploy the fix, then discuss the vulnerability. If I am not in receipt of a reply other than generic customer service replies, I will follow the two week standard, then discuss the issue.

TIAA-CREF, or the Teachers Insurance and Annuity Association - College Retirement Equities Fund, is a respected, widely utilized provider of numerous financial products and services. The TIAA-CREF site is ranked 26,148 on at the time of this writing.

I'll first direct you to the TIAA-CREF Security page, where they discuss the expected elements like identity theft, spoofing, tips, and my favorite, phishing.
Here's where the trouble begins. Obviously, most phishing occurs when some miscreant creates a fake page and attempts to lure victims via email.
The severity of phishing risks are greatly increased by the introduction of a cross-site scripting (XSS) vulnerability in a site that is of high value to phishing attackers.
With such a vulnerability available, the prospect of success for a phisher are much higher given that the malicious URL they would craft could include the actual target domain, rather than a faked misrepresentation. A simple script insertion at the vulnerable variable would then allow the attacker to redirect victims to a maliciously crafted logon page in the context of the vulnerable site.
Sad side note: when you search security at the TIAA-CREF site, the above mentioned Security page is not returned in the results as I write this.
However, the resulting search URL serves as the starting point for our discussion of the flaw:
The vast majority of non-search input variables on the TIAA-CREF site offer reasonable XSS protections, likely a blacklist method that redirects you to the following language when common XSS strings are noted, particularly where it counts at logon pages.
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
Unfortunately, this methodology was not deployed globally, and thus the following online finance flaw.
All input variables used in TIAA-CREF's search.jsp script are vulnerable to XSS.
Utilized by an attacker, this could have a much more significant impact on TIAA-CREF customers who fall victim to a now more convincing social engineering effort.
Here's the site before script insertion:

Here's the site after script insertion:

Further, certain parts of the site, including the Trust Company logon page, show potential signs of cross-site request forgery (CSRF) in that they accept updates via GET or allow submittal with the referrer stripped.

Lessons learned:
1) Don't assume all is well even though a site may offer examples of how attentive they are to security.
2) Never log on to an online financial service offering (or anything else for that matter) via a link sent to you in an email. Period.
3) Take all steps at your disposal to ensure you are logging in to and transacting with the actual site you intended to utilize. Don't depend on security badges and SSL certificates as your sole means of confirmation.
4) If you note something of concern at a site you utilize, advise them immediately and demand repair or clarification until you're satisfied.

Please feel free to send feedback to TIAA-CREF as I have per my "terms of engagement" above. Hopefully they'll resolve this issue soon, on behalf of customers in their care.

Up next in our series, two of the top five banks mentioned in Javelin Strategy & Research's Banking Identity Safety Scorecard are vulnerable to similar issues. | digg | Submit to Slashdot

1 comment:

Rafal Los said...

@Russ - Great find. I am appalled at the number of sites that have basic, serious security flaws. Worse, I'm floored entirely, as a vendor of automation-based security tools, at how many large enterprises are doing next to nothing (amounting to negligence?) to protect their digital, web-based assets from attack and theft.

What's really telling is that the black market currently is SO saturated with stolen identities and associated information that it's driven the price of a "record" down significantly. I'll try and find a link to post-up soon for that.

Keep up the good fight.

Moving blog to

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...