full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] Brazilian Bank (Caixa Econ

[Full-disclosure] Brazilian Bank (Caixa Economica Federal) Stupid Vuln #02 (Opera's Style)

From: H2G-Labs Information Security <h2glabs.infosec_at_nospam>
Date: Sat Aug 09 2008 - 17:01:44 GMT
To: full-disclosure@lists.grok.org.uk


-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

Hi folks,
some brazilian banks has implementing a system based in computer identification (like a PC register).

The system have some vulns and can be easily exploited.

Caixa Economica Federal (http://www.caixa.gov.br) never reply us. So, we will show another stupid way to bypass the computer identification.

One more time, if the attacker have the USERNAME and the PASSWORD of the user account, the attacker can log in on the bank account without identify the computer.

To this, just download the Opera Browser. (yes, this is a stupid way to bypass the bank "protection")

The system based in computer identification can be easily bypassed using the Opera Browser.

So, download the Opera Browser and you will be logged in, without need register/identify you machine. :Pwned!

Well, i hope the CAIXA team solve this problem hurry. And next time, reply our mails.

Sorry to bad english.

Regards...

  • -- H2G-Labs Information Security Igor Marcel - Information Security Consultant H2GLabs.InfoSec "at" Gmail.com

-----BEGIN PGP SIGNATURE-----

Version: GnuPG (PRIVATE)
Comment: H2G-Labs Information Security

iQIVAwUBSJ3N3cJBTfehHgWwAQrBSA//ZIjAFG8Q/JObIFUT6uUBgruILTVmXci3 SMYlEUucQP/eM/33Q1k6WoN24p/4vU2aQi9bthfXiwTz0eF043yYVBqs/Ved4p74 XRYd0CuCWbenaeKGoFZrqEBpBpp/YMEh6rLbm7hlqI6tQEV1jJruGOZXe9bZyHnm QQq1FoXHMKBtuUVycTk6RquzEJ0rlRB4g7eUnHWjfpghZUXBKkzkB53VUm1IMNVs LV20eaDR3sxGfH6T9PEIqO6YP8f1ielR2yHzXQX+vdrFQ/WGmwDOyMfsN3q8EJyC Crfb41JcOX90bTtXOhVcp+IKPsVsWBwFI4H3ImL9az+ZgAiSzsfnIFWHPXa7KfgW YbCEfFnmrlVhvTw3e4m+qW22fX1WcPCn4MZU+u5mPUfpIbxUerDB2JtachvLBfO6 lrliUUWA9XYqeIIcUS/7hKikrJ3m161jzsLDpRBBUZxIg0cQsXZnNNRlUHiMW8MT +qPnAgkjvCVCDB5Rqd9icyNBmRtWh8SHhBqLXbd5iTs1JZr3D7AgKpkofkd88VoX uX1qTbs11+H/12D0oOQnEtP6IuqgoRJcqliL+2MWUIMikEEsIu5cKr7xzz6Qahzs dpkYbmL6vTUqLeZV2rdAK4yDU0ErD8m42TkgSGby3IpUPu8XzO06VWsgZ4YsFD0v mwQaL/y2V1A=
=mANl
-----END PGP SIGNATURE-----



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/