| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <40B7D346.3070302@comcast.net> From: Dark-Avenger at comcast.net (Dark-Avenger) Subject: http://www.chase.com/ vulnerability No, you are not correct. Take a look at the source of the page, and you can see that the login is a POST operation to an https page. Subject: RE: [Full-Disclosure] http://www.chase.com/ vulnerability Date: Fri, 28 May 2004 12:11:26 -0700 From: Schmidt, Michael R. <Michael.Schmidt@...obile.com> To: 'Perry E. Metzger' <perry@...rmont.com>, full-disclosure@...ts.netsys.com >Yes, you are correct; when you go to the "contact us" page they require you to use the quite un-secure login page first. That is brilliant. The credentials are passed along unsecured over the Internet. I am glad that my bank has an actual SSL login page. > >I sent them a message - one that the page said was "protected" via SSL, which it was not, it was however posted to a page that had SSL, then redirected to a non protected thank you page. This is such poor security that it is frightening. Do they not understand that all the posted data is being sent clear text? > >Someone needs to be fired. > >-----Original Message----- >From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Perry E. Metzger >Sent: Friday, May 28, 2004 10:57 AM >To: full-disclosure@...ts.netsys.com >Subject: [Full-Disclosure] http://www.chase.com/ vulnerability > > >I don't know if this is the right place to note a vulnerability in an >individual web site, but it is the web site of one of the largest >banks in the world, and it is a serious vulnerability. I have given up >on finding anyone inside JP Morgan Chase to tell about it, and not for >lack of trying. > >If you go over to http://www.chase.com/, you will note that there is a >form on the front page to enter your userid and password for your bank >account. Note that the page is downloaded without SSL -- it is an >ordinary http downloaded page. > >If the page isn't mangled by evil people, this is vaguely safe because >the form posts the information via SSL, but as we all know, the world >is *not* free of bad guys, and a person with malice in their heart >could "man in the middle" attack you and redirect the form to a site of >their choosing. One could, of course, always read the html to make >sure it is pointing at the right place, but as no one ever does that >it is barely worth mentioning. > >The man in the middle attack can be done in a variety of ways, >including spoofing DNS replies to victims computers or wholesale >interception of the the http request. Wireless also makes for some fun >games. I leave all that as an exercise to the reader -- how such an >attack is performed isn't important, only that Chase has left its >customers vulnerable to such an attack. > >Note that Chase is effectively training their customers to enter in >vital passwords into forms downloaded in the clear, which is precisely >the opposite of what it should encourage. A major international bank >should know better. In addition, they display a small image of a >closed lock next to the insecure form -- thus training their users to >be confused about what the lock image in the corner of their browser >means, and about when they are and are not entering data securely. > >I first reported this problem to Chase quite some time ago, and I >tried reporting it again to them about three months ago. I got >nowhere. I more recently resorted to asking a friend who worked at the >company to leak me the name of a Chase internal security person, and I >emailed them. They replied, saying they would look in to it, but sadly >no action whatsoever has been taken. > >It is a shame that so many large companies have made it effectively >impossible for their customers to report problems, such as security >issues. I should not have to resort to posting in public to get >the problem fixed. Sadly I'm unsure of any other way to proceed. > > >-- >Perry E. Metzger perry@...rmont.com > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > > >
Powered by blists - more mailing lists