Full Disclosure mailing list archives
Re: http://www.chase.com/ vulnerability
From: Dark-Avenger <Dark-Avenger () comcast net>
Date: Fri, 28 May 2004 19:03:18 -0500
No, you are not correct. Take a look at the source of the page, and you can see that the login is a POST operation to an https page.
Subject: RE: [Full-disclosure] http://www.chase.com/ vulnerability Date: Fri, 28 May 2004 12:11:26 -0700 From: Schmidt, Michael R. <Michael.Schmidt () T-Mobile com>To: 'Perry E. Metzger' <perry () piermont com>, full-disclosure () lists netsys com
Yes, you are correct; when you go to the "contact us" page they require you to use the quite un-secure login page first. That is brilliant. The credentials are passed along unsecured over the Internet. I am glad that my bank has an actual SSL login page. I sent them a message - one that the page said was "protected" via SSL, which it was not, it was however posted to a page that had SSL, then redirected to a non protected thank you page. This is such poor security that it is frightening. Do they not understand that all the posted data is being sent clear text? Someone needs to be fired. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Perry E. Metzger Sent: Friday, May 28, 2004 10:57 AM To: full-disclosure () lists netsys com Subject: [Full-disclosure] http://www.chase.com/ vulnerability I don't know if this is the right place to note a vulnerability in an individual web site, but it is the web site of one of the largest banks in the world, and it is a serious vulnerability. I have given up on finding anyone inside JP Morgan Chase to tell about it, and not for lack of trying. If you go over to http://www.chase.com/, you will note that there is a form on the front page to enter your userid and password for your bank account. Note that the page is downloaded without SSL -- it is an ordinary http downloaded page. If the page isn't mangled by evil people, this is vaguely safe because the form posts the information via SSL, but as we all know, the world is *not* free of bad guys, and a person with malice in their heart could "man in the middle" attack you and redirect the form to a site of their choosing. One could, of course, always read the html to make sure it is pointing at the right place, but as no one ever does that it is barely worth mentioning. The man in the middle attack can be done in a variety of ways, including spoofing DNS replies to victims computers or wholesale interception of the the http request. Wireless also makes for some fun games. I leave all that as an exercise to the reader -- how such an attack is performed isn't important, only that Chase has left its customers vulnerable to such an attack. Note that Chase is effectively training their customers to enter in vital passwords into forms downloaded in the clear, which is precisely the opposite of what it should encourage. A major international bank should know better. In addition, they display a small image of a closed lock next to the insecure form -- thus training their users to be confused about what the lock image in the corner of their browser means, and about when they are and are not entering data securely. I first reported this problem to Chase quite some time ago, and I tried reporting it again to them about three months ago. I got nowhere. I more recently resorted to asking a friend who worked at the company to leak me the name of a Chase internal security person, and I emailed them. They replied, saying they would look in to it, but sadly no action whatsoever has been taken. It is a shame that so many large companies have made it effectively impossible for their customers to report problems, such as security issues. I should not have to resort to posting in public to get the problem fixed. Sadly I'm unsure of any other way to proceed. -- Perry E. Metzger perry () piermont com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- http://www.chase.com/ vulnerability Perry E. Metzger (May 28)
- RE: http://www.chase.com/ vulnerability Brandon (May 28)
- Re: http://www.chase.com/ vulnerability Perry E. Metzger (May 28)
- RE: http://www.chase.com/ vulnerability gauntlet (May 28)
- <Possible follow-ups>
- RE: http://www.chase.com/ vulnerability Schmidt, Michael R. (May 28)
- Re: http://www.chase.com/ vulnerability Dark-Avenger (May 28)
- Re: http://www.chase.com/ vulnerability Perry E. Metzger (May 28)
- RE: http://www.chase.com/ vulnerability James Patterson Wicks (May 29)
- Re: http://www.chase.com/ vulnerability Perry E. Metzger (May 29)
- Re: http://www.chase.com/ vulnerability http-equiv () excite com (May 29)
- RE: http://www.chase.com/ vulnerability Brandon (May 28)