lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <87brk745ss.fsf@snark.piermont.com>
From: perry at piermont.com (Perry E. Metzger)
Subject: http://www.chase.com/ vulnerability

"James Patterson Wicks" <pwicks@...gen.com> writes:
> The Chase home page has been like this for over a year.  I was a bit
> worried after the change, so I just bypassed it.  If you feel more
> secure logging in on an SSL page, just do the following:

You can also just go to https://chaseonline.chase.com/ -- that's not
the point. The point is that at the very least, they're training their
users to follow a very dangerous behavior -- entering passwords into
forms downloaded via untrusted paths. They're even telling their users
this is absolutely riskless by putting a lock icon right on the front
page and having a FAQ that explains that your password is totally
protected so you have nothing to worry about -- which is, of course,
untrue since there is no guarantee that their front page has not been
tampered with.

> Since Chase changed this page over a year ago, I'm sure we would have
> heard something if the Chase site was being exploited.

First, I doubt we would have heard anything. Chase might not even
know, for one thing -- I doubt they investigate cases of password
theft very deeply. Second of all, even if it hasn't been exploited
yet, it is inviting trouble.

For years people scoffed when I'd say "the idea of .exe
archive/installer files is terrifying. Microsoft is training its users
to run programs sent in email, and some day they're going to reap the
whirlwind." Well, eventually, someone decided to exploit that
stupidity.

Some day, some gang is going to start ripping of customers of Chase,
American Express, Wells Fargo, and other companies that are
perpetuating this foolishness, and then everyone is going to be
absolutely shocked that it is happening. Of course, the trivial thing
to do would be to simply follow the example of other banks, like
Citibank, that force you to enter your password in only on an https:
protected page.


-- 
Perry E. Metzger		perry@...rmont.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ