[Note: The original headline for this post mistakenly identified Ameritrade as the subject of the post. It is actually Ameriprise Financial. I deeply regret the error.] Since March of this year, security expert Russ McRee of HolisticInfoSec.org has sent 6 messages to Ameriprise Financial warning them of easily exploitable security holes on their website. They ignored every request, while at the same time reassuring customers that “No one without the proper web browser configuration can view or modify information contained on our systems.”
According to The Register,
For the past five months, a website for investment services giant Ameriprise Financial contained bugs that allowed even low-level criminals to inject malicious content into official company webpages and steal user’s cookies, according to a web security expert.
The XSS, or cross-site scripting, flaws made it possible for phishers to send Ameriprise customers bona fide links to the Ameriprise website that opened pages that intermingled counterfeit content with legitimate text and graphics. The holes could also allow criminals to steal browser cookies used to authenticate online accounts.
Ameriprise’s vice president of public communications responded, “There’s no one at risk here,” by which we assume he means, “No one important on our side of things. Our customers can suck it.”
Russ McRee points out that all financial websites should show more diligence when it comes to maintaining security. It would be easy enough to implement: “There should be something on their site that says ‘If you see a security issue on our site, please report it.’”
Visit The Register’s article to see actual examples of the type of exploits that have been on Ameriprise’s website for nearly half a year. The Register adds, “Such web-application flaws are often easy to fix because they require only a line or two of code to be changed. Sure enough, Ameriprise repaired its site less than two hours after The Register notified company representatives of the vulnerabilities.”
“Security bugs crawl all over financial giant’s website” [The Register via jen_h]