Comerica bank discovers full disclosure

Comerica bank seems to think disclosing cross site scripting vulnerabilities in the bank’s web site is illegal:

“Comerica hereby demands that the above-referenced Subject Site be shut down immediately and that the identity of the account holder be provided to the undersigned.

Comerica’s demand is based upon the fact that the Subject Site is designed to enable that subscriber and anyone else viewing the site to take actions to attempt to impersonate Comerica to its customers”

(full document here)

No Comerica, it’s not the “how to use Comerica com to phish their customers” that enables that, it’s that enables that. But at least I finally know why I’m receiving a flood of Comerica phishing emails in the last few weeks (I haven’t even heard of the bank before then).

Needless to say, they haven’t fixed the problem. Of course, for them the problem is not that phishers can attack Comerica bank customers but that somebody is saying it out loud.

Comerica XSS

(more pictures here)

(via @lancejssc)