Wells Fargo Vulnerability
A couple months ago Wells Fargo patched this vulnerability. I noticed it about a year ago, accidentally.
The sign-in form on the http://WellsFargo.com website as well as the Wells Fargo iPhone app were tested and exhibited the vulnerability.
All user accounts were not affected. My account WAS affected.
Vulnerability:
With correct username and correct password entered, any extra characters entered in the “Password” field after the correct password still resulted in a successful login.
Supposing there weren’t a limit to the amount of failed logins, and or a delay between unsuccessful logins, this would be a much more serious vulnerability.
The failure to properly sanitize the password user-input field greatly reduces the amount of guesses necessary to brute-force the password.
For example, not only “password123”, but also “password123777” and “password123456” would result in a successful login.
The moral of this story is to make sure any user-input fields in your website are properly “sanitized”. This is a perfect example of one of the things website customers should consider when choosing a web developer. The final product might LOOK great, but don’t forget that what’s behind the scenes is very important to security AND to your website’s SEO (search engine optimization).