The Royal Bank of Scotland (RBS) has fixed a cross-site scripting flaw in its Worldpay internet payments service that could have allowed attackers to steal users' credit card details, according to a report.
Adam Grit discovered the cross-site scripting (XSS) flaw in a secure payment page of the Worldpay site, RBS' Internet payments service, according to a report from IT industry journal The Register.
The flaw allowed third parties to inject content into the page, as Grit demonstrated with a pop-up window reading "Is it safe?".
An attacker could have taken advantage of the flaw to inject a false login box and steal user credentials, Grit said.
"I have tested this and confirm that unfortunately it does work on the live Worldpay website," Grit wrote in a 29 April email to RBS, quoted in the report. "Potentially, a fraudulent website could send the user to the Worldpay website in order to pay for their purchase, with all of the credit card details being then sent back to the hacker's server."
The flaw reportedly remained in place until Monday, a delay of three weeks, but has now been patched.
The page affected was protected by an SSL certificate, which industry bodies have said can instil a false sense of security.
In newer browsers, SSL-protected sites are downplayed in favour of those using Extended Validation SSL, which requires more thorough validation of the body requesting the certificate.
Last week eBay's PayPal acknowledged a similar XSS flaw that affected a page using an EV-SSL certificate, casting doubt on the claims of EV-SSL to assure users of more secure web pages.
RBS did not immediately respond to a request for comment.