Skip to main content

Virtually all banking web apps are vulnerable to hackers, study finds

Using a computer today feels a bit like walking through a minefield, at least when we are using them to access or share personal and sensitive information. That is particularly true for our financial information, where the wrong person getting access to our data could mean a whole lot of pain. According to a recent study, using our bank’s web application is one of the biggest mines that we probably don’t know about.

The news comes via security firm Positive Technologies, which looked at web application security in a recent report. The results are disturbing, to say the least, with every web application tested in 2017 having at least one vulnerability, and with 94 percent having at least one vulnerability that was characterized as “high-severity.”

According to Leigh-Anne Galloway, Positive Technologies’ cybersecurity resilience lead, “Web applications practically have a target painted on their back. A large number of unfixed, exploitable vulnerabilities is a windfall for hackers, who can use these flaws to steal sensitive information or access an internal network. Fortunately, most vulnerabilities can be discovered long before an attack ever happens. The key is to analyze application source code.”

The results were even worse when looking strictly at banking and finance web applications, which made up 46 percent of the test group. Every one of the banking and finance web applications covered in the report suffered from high-severity vulnerabilities. As the organization points out, these applications are also the most attractive to hackers and so their vulnerabilities are of particular concern.

Furthermore, the data shows that 87 percent of banking and government web applications are open to attacks against users, with cross-site scripting vulnerabilities present in 82 percent of the tested web applications. That makes them good targets for phishing attacks that can infect user PCs with malware.

Clearly, the banking industry has work to do to clean up its web applications. As always, the presence of these kinds of vulnerabilities serve as a reminder that we all need to be constantly vigilant in monitoring our financial data, because we never know which online transaction will be the one that opens us up to an attack.

Mark Coppock
Mark has been a geek since MS-DOS gave way to Windows and the PalmPilot was a thing. He’s translated his love for…
A dangerous new jailbreak for AI chatbots was just discovered
the side of a Microsoft building

Microsoft has released more details about a troubling new generative AI jailbreak technique it has discovered, called "Skeleton Key." Using this prompt injection method, malicious users can effectively bypass a chatbot's safety guardrails, the security features that keeps ChatGPT from going full Taye.

Skeleton Key is an example of a prompt injection or prompt engineering attack. It's a multi-turn strategy designed to essentially convince an AI model to ignore its ingrained safety guardrails, "[causing] the system to violate its operators’ policies, make decisions unduly influenced by a user, or execute malicious instructions," Mark Russinovich, CTO of Microsoft Azure, wrote in the announcement.

Read more