Tuesday, September 2, 2008

Web Site design flaws

In August of 2008, JP Morgan Chase corrected a serious deficiency on their user logon frame. In the past, the secure account logon option was placed on Chase’s main web page, which was insecure.

Old website – note not https: enabled


The embedded Javascript code for the logon frame did submit the login and password information via SSL, however, the customer had no way to really know that this was happening in the background. Chase included a lock graphic within the embedded logon box, which increased the potential for confusion, and spoofing because most Web users are now taught to look for the lock on the browser’s toolbar.

Updated website – notice lock icon on toolbar


This deficiency had the potential of increasing the success of Phishing and man-in-the middle attacks on Chase’s customers, because a criminal could easily duplicate the page, and have embedded Javascript code send the information anywhere they wished without the customer’s knowledge.

Recently Professor Atul Prakash and doctoral students Laura Falk, and Kevin Borders from the University of Michigan published a paper titled “Analyzing Websites for User-Visible Security Design Flaws” which looked at 214 U.S. financial institutions for this type of flaw, along with four others. They found that more than 75 percent of the financial institutions had at least one of these design flaws:

1. Break in the chain of trust: Some websites forward users to new pages that have different domains without notifying the user from a secure page. In this situation, the user has no way of knowing whether the new page is trustworthy.

2. Presenting secure login options on insecure pages: Some sites present login forms that forward to a secure page but do not come from a secure page. This is problematic because an attacker could modify the insecure page to submit login credentials to an insecure destination.

3. Contact information/security advice on insecure pages: Some sites host their security recommendations, contact information, and other sensitive information about their site and company on insecure pages. This is dangerous because an attacker could forge the insecure page and present different recommendations and contact information.

4. Inadequate policies for user ids and passwords: It is important to maintain consistent and strong policies on passwords and user ids. We found some sites allow customers to use short passwords or they require e-mail addresses for user names.

5. E-Mailing security sensitive information insecurely: E-mailing any sensitive information is dangerous. We found that some sites offered to send statements and passwords through email but not very many people have secure e-mail.

While you are looking at your user authentication pages, think like a hacker. Is your user authentication page SSL enabled, but the rest of your site not? If so, does your application cause re-authentication to occur, thereby causing the credentials to be sent in the clear on the other pages? If your customer uses a hotspot, and you don't have an SSL enabled site, assume that all information can be intercepted and check to make sure you are not transmitting Personally Identifiable information on non SSL enabled pages.

With malicious attacks for profit on the rise, every organization needs to take a close look to see if they have any of these flaws on their website, and take quick action to correct it. However, if you don’t have time, don’t worry, the criminals do, and if they find a flaw, your customers will eventually call you.