Vulnerability Management

Researcher identifies XSS vulnerability affecting Citibank website

A security researcher who goes by the name ‘E1337' identified a cross-site scripting (XSS) vulnerability affecting the website belonging to Citibank – www.citibank.com – and reported it on Friday to XSSposed.org, an archive where researchers can report XSS vulnerabilities impacting websites.

The issue has yet to be patched, according to the post, which shows the latest check for a patch as being performed on Monday.

The XSS bug puts users, visitors and administrators at risk of having their cookies, personal data, authentication credentials and browser history stolen by attackers, the post indicates, adding these are “probably the less dangerous consequences of XSS attacks.”

According to the post, increasingly sophisticated XSS attacks are being paired with spear phishing, social engineering and drive-by attacks.

A Citi spokesperson was not immediately available for comment. 

UPDATE: Citi notified SCMagazine.com on Thursday that the issue has been resolved. The XSSposed.org post has been updated.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds