Jim Popovitch wrote: > 7 days? "industry practice"? Come on Bob I know you know that large > corporations can't feed a cat in 7 days let alone make unscheduled > website changes that fast. Change control approvals alone would include > 14 or more days in most enterprises. Why the rush to "say so"? Why should a security researcher waste their time with a vendor who can't even acknowledge the receipt of a security notification in 7 days? Even the OIS guidelines (which are pretty heavily vendor biased) suggest that vendors should respond to notifications no later than 7 days (3 days if the researchers asks for receipt confirmation) If Wachovia had responded with a receipt confirmation on the same day, and followed up in a few days with the results of an initial analysis and perhaps a case number from their bug tracking system, things might have been different. By the way, the privacy page is not the biggest issue on Wachovia's web site. On http://www.wachovia.com/ they have a online banking login form. The username and password are submitted to a HTTPS url, but the form itself is not protected. It's trivial to MITM the HTTP site and capture the data from the login form before it is submitted (or redirect it to a server of your choice). Of course they show a nice padlock image next to the login form, so it must be safe! It appears that MITM is just not part of Wachovia's threat model. Alex
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/