Bailout money apparently has not been applied to improving web security at Merrill.
From SecuObs:
The Merrill Lynch OnLine Login page is vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF), leaving customers at risk for financial compromise via phishing or credential theft. As always, I followed my terms of engagement, sending no less than three emails over a period of no less than two weeks, even allowing a couple of extra days for the holidays. To date I have not received a single response, automated or otherwise. The point is best driven home via video, but the details are simple enough. A properly formed IFRAME fits neatly, front and center, on Merrill Lynch’s OnLine login, embedding Morgan Stanley’s ClientServ login page, just to prove the point. Merrill Lynch OnLine before: Merrill Lynch OnLine after: Web application vulnerabilities and SOX compliance It’s obvious that vulnerabilities such as that described above indicate a clear break from PCI compliance.
Um, whoops.
For the full article read on.
