A couple months ago Wells Fargo patched this vulnerability. I noticed it about a year ago, accidentally.
The sign-in form on the http://WellsFargo.com website as well as the Wells Fargo iPhone app were tested and exhibited the vulnerability.
All user accounts were not affected. My account WAS affected.
With correct username and correct password entered, any extra characters entered in the “Password” field after the correct password still resulted in a successful login.
Supposing there weren’t a limit to the amount of failed logins, and or a delay between unsuccessful logins, this would be a much more serious vulnerability.
The failure to properly sanitize the password user-input field greatly reduces the amount of guesses necessary to brute-force the password.
For example, not only “password123″, but also “password123777″ and “password123456″ would result in a successful login.
The moral of this story is to make sure any user-input fields in your website are properly “sanitized”. This is a perfect example of one of the things website customers should consider when choosing a web developer. The final product might LOOK great, but don’t forget that what’s behind the scenes is very important to security AND to your website’s SEO (search engine optimization).