Closed Bug 145959 Opened 22 years ago Closed 22 years ago

CIBC online banking no longer allows login.

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED WORKSFORME

People

(Reporter: jasonb, Assigned: security-bugs)

References

(
URL
)

Details

(Keywords: regression) 

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.0+)
Gecko/20020520
BuildID:    2002052004

This may be a duplicate of bug 97034, but the description and symptoms are
different so I'm entering it as a separate bug.

I have been banking online with CIBC for almost a year now using Mozilla without
any difficulty. As of May 20, 2002, I can no longer login.  I enter my bank card
information and password, click on the "Sign In" button and rather than being
taken to the banking screen, I'm dumped back to the CIBC Services page.

NOTE: You do not need to enter valid information.  If you enter a bogus account
number and/or password, the same thing will happen.

Their site design has also changed since the last time I used it (and it worked)
so I suspect regression on their part, rather than on the part of Mozilla.

They have always posted a "warning" about the latest Mozilla/Netscape being
incompatible, and for a brief period of time it did not allow you to login (as
per bug 97034) - but a Mozilla fix was checked in almost a year ago (although
this was not reported in bug 93034, nor was the bug closed), and it worked just
fine with Mozilla since then.  Now, rather than displaying, "This page cannot be
viewed with the method you've chosen," it takes you back to the Services page. 
(Also, the Browser Security Info link DOES still work properly - it did not do
so in the other bug until it was fixed.)

If the CIBC site has now changed (for whatever reason) they should at least be
posting a "Mozilla error" message or something when you do try to login rather
than just going to the Services page for no apparent reason.

Reproducible: Always
Steps to Reproduce:
1. Go to the URL.
2. Enter a valid (or invalid) CIBC bank account number and password.
3. Click on "Sign In".

Actual Results:  You are taken to the CIBC Services page.

Expected Results:  Your login information should be validated and you should
either be taken to the banking screen, or prompted for correct information.
Fix URL, and tested under i386 RH Linux, so OS -> All.  Since CIBC no longer
works with Mozilla (they used to merely not support Moz), this is a regression.
URL: http://https://www.pcbanking.cibc.com...https://www.pcbanking.cibc.com/englis...
Keywords: regression
OS: Windows XP → All
Alright. I've done a bit of looking into this and so far I can rule out a
useragent issue. The site is not just serving up garbage because it sees a
non-IE browser. It's also not a TLS 1.0 issue (works in IE either way, doesn't
work in Mozilla either way).

The form action points at
https://www.cibc.com/solution/service/pers/pcb/scripts/SignOn.jsp -- both
browsers agree that this page will dump you right back to www.cibc.com if typed
into the URL bar. So as far as I can see, there is either some funky redirecting
going on server side, or more likely some funky javascript going on client side.

I'll keep looking and see if I can find anything useful. Confirmed broken on RC2
(debian Linux 2.4.16) and RC3 (Windows 2000 SP2), works under IE5.01
*** Bug 151840 has been marked as a duplicate of this bug. ***
*** Bug 146503 has been marked as a duplicate of this bug. ***
This doesn't strike me as being an evang issue.
Changing component.
Assignee: momoi → mstoltz
Component: English: Non-US → Security: General
Product: Tech Evangelism → Browser
QA Contact: jeesun → bsharma
Version: unspecified → other
I can certainly offer to place some pressure on CIBC and make the connection 
with CIBC web designer/support if needed.
As I said earlier, I did some more looking into it and after some javascript
debugging, I'm *fairly* certain that Mozilla is interpreting the javascript
correctly (where correctly is interpreted as the same as IE).

The only thing I can imagine is that somewhere between the Form's action URL and
the www.cibc.com address Mozilla ends up at, the server is sending some funky
redirect, possibly due to a misunderstood header or POST value. However, I was
unable to find any definite cause because my usual method for debugging such
problems (tcpdump :) is not very useful for SSL connections... Good luck on this
one.

Note that you can get two different pages served to you by altering the
User-agent to look like IE or Netscape 4, but they all end up at the same place.
*** Bug 150646 has been marked as a duplicate of this bug. ***
Just an update on the progress.  I spoke with CIBC technical support today and
explained our findings; it turned out that they are aware and working on this
problem (looks like on their site as expected).  Basically, they said that there
is an initiative to enhance the web banking to support more browsers and
Netscape 6/Mozilla is definitely on the list but after M$ IE 6.  I have tried to
place some pressure to swap the priority but unless they hear a lot from us
through the feedback form or complains, IE is still on top of Mozilla.  I am
going to submit one today.
Using Mac OS X 10.1.5 and Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US;
rv:1.0.0) Gecko/20020529 the CIBC start URL renders as a blank page, but there
is a large amount of code visible under View>Page Source.

You do not need to have a CIBC account to confirm this, just enter the URL.
Do we have any idea what the problem is?
Any updates?
The bug is still happening in Mozilla 1.1b. It's easy to reproduce. Go to the
URL listed, then type '1' into the Card Number field, and click the 'Sign In'
image. 

Expected Behavior: The server tells you "incorrect card number or password"
Actual Behavior: You end up at some funky URL on the http://www.cibc.com/ site
that simply displays the main page.

The site will display one of several different pages to you depending on what
useragent you spoof yourself as, including the Netscape 4.x one if you just go
with the default Mozilla useragent. This makes *no* difference to the result.

All the javascript works fine as best as I can tell. I have a feeling the server
is doing some really really weird HTTP-redirects, for some reason, and Mozilla
gets lost. I don't know how to debug it any further than I've gotten due to the
SSL connection. It *could* be some kind of bug in the way the SSL components
deal with redirects, or it could be utterly insane behavior on the part of
CIBC's webserver. It's hard to tell.
As of today (9/27) I was able to login to CIBC again with Mozilla (2002092704
trunk / XP).

(Ironically, I discovered this because I was NOT able to login with IE - I'd
click on login and nothing at all would happen.  I switched to Mozilla on a pure
whim to see if, by some small chance, that would do it.)

As soon as somebody else can confirm that CIBC is now working with Mozilla I'll
happily close this bug.
I don't know which version of Mozilla you have tried but I was on Linux earlier 
(MD8.1) and gave a try with Mozilla-1.0.1 and still observed the problem.

As I said in comment 14, I am using trunk build 2002092704 under XP.

Would somebody please confirm/deny with the latest build?
I just tried it, it works fine on build 2002092708 on Linux 2.4.16

Yay! :D
Excellent!

Since that's independent confirmation under a different OS (even better) I'm
going to close this as WFM.

If somebody find that it does not work with a 9/27+ build, feel free to reopen it.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → WORKSFORME
Works on OS X as well with the 09/27 build.
Verifying resolution of all bugs I've reported.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.