In Mexico it’s possible to send bank statements via standard email, anyhow the law requires that certain security mechanisms are in place so any unauthorized party is unable to read it. The user must provide a password in order to read the bank statement.
Most banks in Mexico use a password protected ZIP file or a password protected PDF in order to obey the law. One particular bank took a different approach and used an HTML file to achieve the same job. In this presentation, I analyze, from a security standpoint, the behaviour of such new bank statement, a vulnerability that I found (and has been fixed) and I end the presentation with an explanation and a demo on how such vulnerability could be exploited to view a bank statement without knowledge of the password.
Manuel Nader is a Security Researcher at Trustwave Spiderlabs. He works on tracking new vulnerabilities, identifying how those vulnerabilities are exploited and writing code that detects the presence of or exploits those vulnerabilities. Previously worked in the offensive side of security and before that he worked on the defensive side of security. Manuel’s favorite independent research involve web attacks.