A weekend after heise Security demonstrated security flaws on the web pages of British banks, two of the original demonstrations of vulnerabilities ceased working. heise Security informed the vulnerable banks last week and obviously Nat West and UBS deployed a quick fix. It seems that at least UBS was a bit too quick. A short test has revealed that the online banking application still does not filter user input sufficiently. So it is still possible to inject HTML code into the displayed page for online banking access and therefore modify the content displayed to the user, when they click on a link. The following demonstration inserts the heading "heisec: This is still vulnerable": Demo
Nat West is still using frames on the login page for online banking. But they have now removed the name of the frame, so an attacker can no longer easily address and replace its content.
Last Thursday heise Security set up a number of demonstrations showing how criminals could use simple methods to mount attacks against visitors to UK banking web sites, e.g. frame spoofing attacks against NatWest, Cahoot, Bank of Scotland, Bank of Ireland, First Direct and Link customers. These tests demonstrate how successful phishing can easily be implemented using the web sites of these respected financial institutions without their participation or knowledge. Incidentally, the same kind of attack works (mis)using the site of The Dedicated Cheque and Plastic Crime Unit, a bank sponsored police force. Separate demonstrations showed a successful Cross Site Scripting attack using the UBS internet banking site as an unwitting vehicle, and a similar attack using the Bank of England's site. You can find these demonstrations in the article You can't Bank on Security.
On Monday the UBS bank changed their code again -- and still didn't get it right. The application ignores GET data now but still does not filter POST data sufficiently. So it is still possible to inject HTML code into UBS pages.
To clarify the situation with Nat West: Nat West changed their pages in a way, that it cannot be exploited easily. Nonetheless it is still possible to mount frame spoofing attacks against their pages. But as this requires advanced techniques heise Security will not publish a demo exploit for this issue.