The flaw was discovered a week ago by SC Magazine, who gave the Bank a week to address the issue before going public (which they did at 6:30 Thursday morning).
Of interest is the very generous statement that "The outsourcer was understood to be considering fixing the bug." A Salmat [the identified outsourcer] spokesperson told iTWire that the company strongly denied any involvement in the development of this system, insisting that the ANZ Bank was the developer.
The issue with the online statements relates to browser histories - the problem being that the statement remains in the browser history after the page is closed. If this is a PC in your own home, it's probably not a problem; but if it's an Internet cafÃ© computer, there can be a problem, as the information is easily accessed by the next person using the computer and scanning the recent pages visited.
All parties have recommended that browser histories be deleted after viewing a statement, but this is really only a partial fix.
It was only later that ANZ announced they would disable the service.
This error ranks right up there with the First State Super URL-editing breach. In fact it's such a basic error that it doesn't even make it into the OWASP top ten Web Application Security Risks, which enumerates well-known risks.
ANZ has said that the service will remain offline until a proper fix is installed but warn this could take weeks. In the mean time iTWire recommends all users of this service clear the browser cache on every machine they have used to view statements. The more paranoid in the audience might also like to add a disk cleanup followed by a defrag.
Following initial publication of this report, Salmat issued the following statement to iTWire:
Salmat is working with ANZ Bank to resolve the security issue with its e-Statements.
This security issue is not a flaw or breakdown in Salmat systems or processes.
Salmat can confirm that there is no associated security risk for any other bank or credit union using a Salmat system for bank statements.
The company was contacted for clarification of this statement and their response has been included on the first page. ANZ Bank has also been invited to respond.