Wells Fargo Vulnerability

A couple months ago Wells Fargo patched this vulnerability. I noticed it about a year ago, accidentally.

The sign-in form on the http://WellsFargo.com website as well as the Wells Fargo iPhone app were tested and exhibited the vulnerability.

All user accounts were not affected. My account WAS affected.

Vulnerability:

With correct username and correct password entered, any extra characters entered in the “Password” field after the correct password still resulted in a successful login.

Supposing there weren’t a limit to the amount of failed logins, and or a delay between unsuccessful logins, this would be a much more serious vulnerability.

The failure to properly sanitize the password user-input field greatly reduces the amount of guesses necessary to brute-force the password.

For example, not only “password123”, but also “password123777” and “password123456” would result in a successful login.

The moral of this story is to make sure any user-input fields in your website are properly “sanitized”. This is a perfect example of one of the things website customers should consider when choosing a web developer. The final product might LOOK great, but don’t forget that what’s behind the scenes is very important to security AND to your website’s SEO (search engine optimization).