Tuesday, January 06, 2009

Online finance flaw: Merrill Lynch not bullish on XSS & CSRF vulnerabilies

Updated: 1/16/09 See update below.

Perhaps, now that they're a Bank of America property, better web site security is in store for Merrill Lynch. In the meantime...here's where the trouble begins.
Prompted by headlines from December 21st stating that $1.6B Of Bank Bailout Went To Execs, I thought I'd take a look at the most egregious amongst those receiving a bailout courtesy of taxpayers.
I'd also like to explore what web app vulns mean to Sarbanes-Oxley (SOX) compliance; I've posed some questions below.

Here's all you really need to know:
John A. Thain, chief executive officer of Merrill Lynch, topped all corporate bank bosses with $83 million in earnings last year. Thain, a former chief operating officer for Goldman Sachs, took the reins of the company in December 2007, avoiding the blame for a year in which Merrill lost $7.8 billion. Since he began work late in the year, he earned $57,692 in salary, a $15 million signing bonus and an additional $68 million in stock options.
Like Goldman, Merrill Lynch received $10 billion from taxpayers on Oct. 28.

Too bad Merrill Lynch didn't spend just a wee small percentage of excessive salaries focusing on improving web application security on behalf of the customers paying for the extravagant lifestyles of their top execs.
But, that said, enough frustrated social commentary.

The Merrill Lynch OnLine Login page is vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF), leaving customers at risk for financial compromise via phishing or credential theft.

As always, I followed my terms of engagement, sending no less than three emails over a period of no less than two weeks, even allowing a couple of extra days for the holidays.
To date I have not received a single response, automated or otherwise.

The point is best driven home via video, but the details are simple enough.
A properly formed IFRAME fits neatly, front and center, on Merrill Lynch's OnLine login, embedding Morgan Stanley's ClientServ login page, just to prove the point.

Merrill Lynch OnLine before:

Merrill Lynch OnLine after:

Web application vulnerabilities and SOX compliance

It's obvious that vulnerabilities such as that described above indicate a clear break from PCI compliance.
But what about SOX? HP (formerly SPI Dynamics) offers an interesting perspective in an effort to promote product:
Sarbanes-Oxley Act compliance can be difficult because it was not written specifically with information technology or information security in mind; however, there are various sections within the act that directly affect these functions in today’s corporations. This includes how information is accessed, what leaves the corporate network and what information needs to be protected and retained over time. You should conduct web application security assessments for an initial SOX compliance risk assessment to understand your various internal controls.
Such a web application security assessment would certainly require that a company like Merrill Lynch "validate that web application inputs are properly validated and not vulnerable to command injection or cross-site scripting attacks."
If SOX Section 404: Assessment of internal control indicates that an enterprise must "evaluate controls designed to prevent or detect fraud", shouldn't web application vulnerabilities that lend greatly to phishing or credential theft (fraud to be sure) fall under established controls?
So, my compliance an auditor friends, who wants to take this one on?
Comments welcome.

Can a failed enterprise like Merrill Lynch, who received $10 billion in bailout funds, and compensated a top exec in extraordinary fashion, be called in to question with regard to SOX compliance for issues as described above?
I'm not certain, but it seems worthy of consideration and debate.
I look forward to your feedback.

Update 1/16/09
The Merrill Lynch security team has responded in force and has conveyed that they "take security very seriously and now that we know about this are acting quickly."
As of 1/16/09 Merrill Lynch has indicated that the necessary fixes have been applied to their production environment.
They've also asked that, should anyone discover issues in the future, that they report them to abuse at ml.com.

del.icio.us | digg | Submit to Slashdot


Anonymous said...

To me there is no question that web application security flaws are relevant to financial results, and that under SOX organizations must verify their applications and fix any problems they find. If there's any question about what organizations need to verify, they should check the new OWASP ASVS which defines specific verification requirements for applications. The only caveat is that if the application has no bearing on the integrity of financial results, then SOX doesn't require anything.

Anonymous said...

Jeremiah prompted me to do some research. I spoke to a SOX auditor and they had two responses of interest:

First, this web app vulns are unlikely to affect SOX as the web app and related servers are unlikely to be hosting the financial data.

Second, when I asked if there would be an impact if the web vuln allowed access to the internal network, the answer was still that it was unlikely, as the other internal controls around the financial statements would be considered.

Finally, he left off saying that firms are growing more relaxed on SOX in general.

Scott said...

I seems from the video that you used a POST to expose the XSS. Did you find out if the server treated GETS the same as posts?

Russ McRee said...

No immediately obvious signs of GET weaknesses, but treat that as inconclusive analysis. ;-)

Moving blog to HolisticInfoSec.io

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...