The sinister aspect of Chaos' ActiveX package is that Quicken now allows interactive access to online banking services, to carry out automated transfers. In front of German TV audiences, the Chaos Computer Club apparently carried a number of transactions without any authorization whatsoever.

According to the Chaos Computer Club, the ActiveX program is now available for download by members of the club on the club's Website. Once the package is downloaded from the site and executed, it scans the user's PCs for the presence of Quicken and extracts details of the user's bank accounts held within the package.

The ActiveX software then tricks Quicken into transferring funds from one bank account to another the next time a user logs on to an online banking service. The transactions are apparently masked from the user, who is led to believe that only authorized transactions are being carried out.

According to Newsbytes' sources, the ActiveX program that the Chaos members have created, allows users to take advantage of the "accountability" system known as Authenticode that ActiveX uses.

Normally, Authenticode allows a programming module of Internet Explorer to include a digital signature authenticating the transaction and the data channel itself. What the Chaos ActiveX program appears to do is hack the Authenticode data stream and bypass the native controls in the Authenticode programming code itself. Using this approach appears to allow the ActiveX program to bypass many of the security controls of IE itself.

IE users should not worry too much about the security implications, as the German media quotes Microsoft Deutschland as confirming that it is working with its software developers to ensure that the security loopholes identified by the Chaos Computer Club are clearly understood by IE and ActiveX programmers. (Newsbytes)