| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: Michael.Schmidt at T-Mobile.com (Schmidt, Michael R.) Subject: http://www.chase.com/ vulnerability Yes, you are correct; when you go to the "contact us" page they require you to use the quite un-secure login page first. That is brilliant. The credentials are passed along unsecured over the Internet. I am glad that my bank has an actual SSL login page. I sent them a message - one that the page said was "protected" via SSL, which it was not, it was however posted to a page that had SSL, then redirected to a non protected thank you page. This is such poor security that it is frightening. Do they not understand that all the posted data is being sent clear text? Someone needs to be fired. -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Perry E. Metzger Sent: Friday, May 28, 2004 10:57 AM To: full-disclosure@...ts.netsys.com Subject: [Full-Disclosure] http://www.chase.com/ vulnerability I don't know if this is the right place to note a vulnerability in an individual web site, but it is the web site of one of the largest banks in the world, and it is a serious vulnerability. I have given up on finding anyone inside JP Morgan Chase to tell about it, and not for lack of trying. If you go over to http://www.chase.com/, you will note that there is a form on the front page to enter your userid and password for your bank account. Note that the page is downloaded without SSL -- it is an ordinary http downloaded page. If the page isn't mangled by evil people, this is vaguely safe because the form posts the information via SSL, but as we all know, the world is *not* free of bad guys, and a person with malice in their heart could "man in the middle" attack you and redirect the form to a site of their choosing. One could, of course, always read the html to make sure it is pointing at the right place, but as no one ever does that it is barely worth mentioning. The man in the middle attack can be done in a variety of ways, including spoofing DNS replies to victims computers or wholesale interception of the the http request. Wireless also makes for some fun games. I leave all that as an exercise to the reader -- how such an attack is performed isn't important, only that Chase has left its customers vulnerable to such an attack. Note that Chase is effectively training their customers to enter in vital passwords into forms downloaded in the clear, which is precisely the opposite of what it should encourage. A major international bank should know better. In addition, they display a small image of a closed lock next to the insecure form -- thus training their users to be confused about what the lock image in the corner of their browser means, and about when they are and are not entering data securely. I first reported this problem to Chase quite some time ago, and I tried reporting it again to them about three months ago. I got nowhere. I more recently resorted to asking a friend who worked at the company to leak me the name of a Chase internal security person, and I emailed them. They replied, saying they would look in to it, but sadly no action whatsoever has been taken. It is a shame that so many large companies have made it effectively impossible for their customers to report problems, such as security issues. I should not have to resort to posting in public to get the problem fixed. Sadly I'm unsure of any other way to proceed. -- Perry E. Metzger perry@...rmont.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists