I saw this post over at David's blog and all that I have to say is that … I am not surprised. e-banking applications aren't good over here in Slovenia. But this one from David's post tops the list by far. Here is the screenshot from his blog (I hope he don't mind that I've made a copy of it).
So, you might say "heck, errors happen". Yes they do, but this one shows bank ignorance at its worst. Even though their representative Janez explains in a comment that the error and usage of Access(!) database are unrelated to core application itself he is bloody wrong. So, what can you see from this error:
- They are using Access
- They are using asp
- They are using ODBC driver (who knows why..)
- The code that connects to the database is in the file /obvestila/DBConn.asp and the connection itself is in the line 9
- They never heard of never ever show internal error to the public
These are 5 lines of knowledge that should remain hidden. Specially in this kind of sensitive application. Do you wonder what other errors might reveal? But the real problem is not within this particular data displayed, it is the fact that they are showing data that shouldn't be seen from outside, ever. This leads me to thinking that their application is really badly written, or at least a part of it, and it might be highly vulnerable to malicious attacks. At least such message doesn't really give you a sense of security. I also wonder how scalable the application is when used by more than 5 concurrent users.
Anyway I am sure that application was written by the cheapest company…Kudos to everybody using this application for their courage.
UPDATE: The page with the error shown above is not the page from their e-banking but from their e-banking entry page. Their e-banking application is actually located on another web address and it seems like it is java application. So the two might be separated. But nevertheless all of the criticism above is still very valid.
shall we play crash the bank site? :)))
outsch!!! still can’t trust my eyes 😉 that’s very very evil. (And they are using http instead of https)
Have you read the comments on David’s site?
Which one?
Dear All,
The error is of course not connected with the application of Internet banking.
Please read the whole explanation on http://vidmar.net/weblog/archive/2007/08/29/what-you-dont-want-to-see-when-you-open-your.aspx
With my best regards,
Janez Demšar
I know, read the UPDATE paragraph. All the criticism still applies, it casts a bad light to your banking software (if your web site is poorly done one might assume that e-banking app is not much better) and it helps malicious users. Just for a simple example, what if somebody hacks into your web site and changes the link to e-banking application (redirects to a similary looking application)? Will your clients notice that they are passing their credentials to a false application? Would you notice that link has been compromised?
So, the error is connected with your e-banking, perhaps not directly.