Lamest "security" ever.

Normally I would abstain from pointing out security issues on other’s websites, but since this bit of code provides absolutely no security at all I can do so with a clear conscience. The bit of code below is from my former banks personal account login. I quickly changed banks after realizing how much they understand/care about security.

function encryptString(strPlain) {
  // Convert to lower case
  var strCipher;
  // Run the reflection cipher on each letter in the string
  var strCipher = "";
  for (i=0; i<strPlain.length; i++) {
    strCipher = strCipher + flipLetter(strPlain.charAt(i));
      }
  return strCipher;
}
function flipLetter(chrLetter) {
  // Executes a reflection cipher,
  // substituting one letter for its alphabetic inverse
  switch(chrLetter) {
    case "a": chrLetter = "z"; break;
    case "b": chrLetter = "y"; break;
    case "c": chrLetter = "x"; break;
    //etc, etc...
    case "X": chrLetter = "C"; break;
    case "Y": chrLetter = "B"; break;
    case "Z": chrLetter = "A"; break;
    default: chrLetter = chrLetter; break;
  }
  return chrLetter;
}

No, your eyes don’t deceive you. They really did think a letter-substitution cypher written in Javascript was ok.

Advertisements