Hundreds of Banking Sites Vulnerable to RSA Security Flaw, Researcher Finds
Brian Prince writes on eWeek:
RSA, EMC’s security division, is advising customers to apply a two-year-old patch for its Adaptive Authentication product after a researcher discovered hundreds of banking Websites are still open to attack.
RSA Adaptive Authentication is a risk-based fraud prevention and authentication platform that measures risk indicators to identify suspicious activities. According to RSA, versions 2.x and 5.7.x of the on-premise edition of the product are vulnerable to cross-site scripting due to a Flash Shockwave file provided by the Adaptive Authentication system.
The vulnerability in question was actually patched in 2008, but was brought back into focus recently when Nir Goldshlager, a security consultant with Avnet Technologies, discovered many online banking sites were still vulnerable to attack, something he uncovered after searching for the affected filename in Google. He reported his discovery to RSA in November.
Still, hundreds of sites remain vulnerable, he told eWEEK today.