Full Disclosure mailing list archives

Re: http://www.chase.com/ vulnerability

From: "Perry E. Metzger" <perry () piermont com>
Date: Fri, 28 May 2004 15:46:16 -0400


"Brandon" <b_buckley () comcast net> writes:

Wells Fargo and Bank of America have similar home pages, although they do
offer a secure login page, I'm sure most users don't bother using it.


So does Chase (if you bother learning how to get to it, which they
don't make obvious.)

American Express appears to have a brilliant setup where if you try to
go to https://www.americanexpress.com/, it redirects you back to an
http: based login page. If reload the login page with an https:
request, you get a popup about it using an Akamai certificate.

It is clear that some people are not paying attention here and they're
heavily endangering their customer.


-- 
Perry E. Metzger                perry () piermont com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

http://www.chase.com/ vulnerability Perry E. Metzger (May 28)
- RE: http://www.chase.com/ vulnerability Brandon (May 28)
  - Re: http://www.chase.com/ vulnerability Perry E. Metzger (May 28)
- RE: http://www.chase.com/ vulnerability gauntlet (May 28)
- <Possible follow-ups>
- RE: http://www.chase.com/ vulnerability Schmidt, Michael R. (May 28)
  - Re: http://www.chase.com/ vulnerability Dark-Avenger (May 28)
- Re: http://www.chase.com/ vulnerability Perry E. Metzger (May 28)
- RE: http://www.chase.com/ vulnerability James Patterson Wicks (May 29)
  - Re: http://www.chase.com/ vulnerability Perry E. Metzger (May 29)
- Re: http://www.chase.com/ vulnerability http-equiv () excite com (May 29)