Full Disclosure mailing list archives
Re: http://www.chase.com/ vulnerability
From: "Perry E. Metzger" <perry () piermont com>
Date: Sat, 29 May 2004 11:22:11 -0400
"James Patterson Wicks" <pwicks () oxygen com> writes:
The Chase home page has been like this for over a year. I was a bit worried after the change, so I just bypassed it. If you feel more secure logging in on an SSL page, just do the following:
You can also just go to https://chaseonline.chase.com/ -- that's not the point. The point is that at the very least, they're training their users to follow a very dangerous behavior -- entering passwords into forms downloaded via untrusted paths. They're even telling their users this is absolutely riskless by putting a lock icon right on the front page and having a FAQ that explains that your password is totally protected so you have nothing to worry about -- which is, of course, untrue since there is no guarantee that their front page has not been tampered with.
Since Chase changed this page over a year ago, I'm sure we would have heard something if the Chase site was being exploited.
First, I doubt we would have heard anything. Chase might not even know, for one thing -- I doubt they investigate cases of password theft very deeply. Second of all, even if it hasn't been exploited yet, it is inviting trouble. For years people scoffed when I'd say "the idea of .exe archive/installer files is terrifying. Microsoft is training its users to run programs sent in email, and some day they're going to reap the whirlwind." Well, eventually, someone decided to exploit that stupidity. Some day, some gang is going to start ripping of customers of Chase, American Express, Wells Fargo, and other companies that are perpetuating this foolishness, and then everyone is going to be absolutely shocked that it is happening. Of course, the trivial thing to do would be to simply follow the example of other banks, like Citibank, that force you to enter your password in only on an https: protected page. -- Perry E. Metzger perry () piermont com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- http://www.chase.com/ vulnerability Perry E. Metzger (May 28)
- RE: http://www.chase.com/ vulnerability Brandon (May 28)
- Re: http://www.chase.com/ vulnerability Perry E. Metzger (May 28)
- RE: http://www.chase.com/ vulnerability gauntlet (May 28)
- <Possible follow-ups>
- RE: http://www.chase.com/ vulnerability Schmidt, Michael R. (May 28)
- Re: http://www.chase.com/ vulnerability Dark-Avenger (May 28)
- Re: http://www.chase.com/ vulnerability Perry E. Metzger (May 28)
- RE: http://www.chase.com/ vulnerability James Patterson Wicks (May 29)
- Re: http://www.chase.com/ vulnerability Perry E. Metzger (May 29)
- Re: http://www.chase.com/ vulnerability http-equiv () excite com (May 29)
- RE: http://www.chase.com/ vulnerability Brandon (May 28)