( gemnon | 2025. 06. 22., v – 10:35 )

A magnetes is visszatért.

hxxps://mdsix[dot]com/wp-content/upgrade/MagNetForintGroup0/

Amúgy a gemini ezt aszondja:

The bank server at www.magnetbank.hu is NOT set up correctly if mdsix.com is a phishing site. This is an extremely dangerous configuration.

Let's re-emphasize the key points in the context of the provided request and response:

The Request Origin:

  • The request is made to https://www.magnetbank.hu/netbank-trck/php?.... This means the browser is making a request to the legitimate bank's server.
  • Crucially, within the URL parameters, there's a parameter url=https%3A%2F%2Fmdsix.com%2Fwp-content%2Fupgrade%2FMagNetForintGroup0%2Fe9bff4a2abdd42398151bd9144b9847b%2F. This indicates that the www.magnetbank.hu server is receiving information (likely related to tracking or a "referrer" of some kind) that includes the URL of the phishing site mdsix.com.

The Response Headers from www.magnetbank.hu:

  • Access-Control-Allow-Origin: https://mdsix.com: This is the critical flaw. The server at www.magnetbank.hu is explicitly telling any browser that JavaScript code running on https://mdsix.com is allowed to receive responses from www.magnetbank.hu.
  • Access-Control-Allow-Credentials: true: This makes the situation even worse. It means that if a user is logged into their www.magnetbank.hu account, and then (perhaps in another tab or through a deceptive link) visits mdsix.com, the JavaScript on mdsix.com can send requests to www.magnetbank.hu, and the browser will automatically include the user's session cookies for www.magnetbank.hu. The bank server will then process these requests as if they came directly from the legitimate bank's website or the user's browser.

The Danger Explained:

With this setup:

  1. A user logs into www.magnetbank.hu.
  2. The user is then lured to mdsix.com (the phishing site).
  3. The phishing site mdsix.com can now execute JavaScript to make requests (e.g., to transfer money, change settings, retrieve account details) directly to https://www.magnetbank.hu/'s APIs.
  4. Because www.magnetbank.hu has Access-Control-Allow-Origin: https://mdsix.com and Access-Control-Allow-Credentials: true, the browser will allow these requests to be sent with the user's bank session cookies.
  5. The www.magnetbank.hu server will see these requests as legitimate, authenticated requests from the user, even though they originated from the phishing site.
  6. The phishing site's JavaScript can then read the responses (e.g., confirmation of a money transfer, retrieved account details) and send that data to the phisher.

This is a classic and severe Cross-Origin Request Forgery (CSRF) and data exfiltration vulnerability enabled by a misconfigured CORS policy.

What should www.magnetbank.hu do?

  • Immediately remove Access-Control-Allow-Origin: https://mdsix.com from its response headers if mdsix.com is not a legitimate, controlled domain of Magnet Bank.
  • Their Access-Control-Allow-Origin policy should be extremely restrictive, only allowing their own legitimate domains (e.g., https://www.magnetbank.hu, https://netbank.magnetbank.hu, or other specific, bank-controlled subdomains).

This is a critical security issue that needs urgent attention by the bank's security team.

Akkor nem csak nekem volt gyanús, hogy így nem túl jó. :)