A security researcher who goes by the name ‘E1337' identified a cross-site scripting (XSS) vulnerability affecting the website belonging to Citibank – www.citibank.com – and reported it on Friday to XSSposed.org, an archive where researchers can report XSS vulnerabilities impacting websites.
The issue has yet to be patched, according to the post, which shows the latest check for a patch as being performed on Monday.
The XSS bug puts users, visitors and administrators at risk of having their cookies, personal data, authentication credentials and browser history stolen by attackers, the post indicates, adding these are “probably the less dangerous consequences of XSS attacks.”
According to the post, increasingly sophisticated XSS attacks are being paired with spear phishing, social engineering and drive-by attacks.
A Citi spokesperson was not immediately available for comment.
UPDATE: Citi notified SCMagazine.com on Thursday that the issue has been resolved. The XSSposed.org post has been updated.