Full Disclosure mailing list archives
http://www.chase.com/ vulnerability
From: "Perry E. Metzger" <perry () piermont com>
Date: Fri, 28 May 2004 13:57:08 -0400
I don't know if this is the right place to note a vulnerability in an individual web site, but it is the web site of one of the largest banks in the world, and it is a serious vulnerability. I have given up on finding anyone inside JP Morgan Chase to tell about it, and not for lack of trying. If you go over to http://www.chase.com/, you will note that there is a form on the front page to enter your userid and password for your bank account. Note that the page is downloaded without SSL -- it is an ordinary http downloaded page. If the page isn't mangled by evil people, this is vaguely safe because the form posts the information via SSL, but as we all know, the world is *not* free of bad guys, and a person with malice in their heart could "man in the middle" attack you and redirect the form to a site of their choosing. One could, of course, always read the html to make sure it is pointing at the right place, but as no one ever does that it is barely worth mentioning. The man in the middle attack can be done in a variety of ways, including spoofing DNS replies to victims computers or wholesale interception of the the http request. Wireless also makes for some fun games. I leave all that as an exercise to the reader -- how such an attack is performed isn't important, only that Chase has left its customers vulnerable to such an attack. Note that Chase is effectively training their customers to enter in vital passwords into forms downloaded in the clear, which is precisely the opposite of what it should encourage. A major international bank should know better. In addition, they display a small image of a closed lock next to the insecure form -- thus training their users to be confused about what the lock image in the corner of their browser means, and about when they are and are not entering data securely. I first reported this problem to Chase quite some time ago, and I tried reporting it again to them about three months ago. I got nowhere. I more recently resorted to asking a friend who worked at the company to leak me the name of a Chase internal security person, and I emailed them. They replied, saying they would look in to it, but sadly no action whatsoever has been taken. It is a shame that so many large companies have made it effectively impossible for their customers to report problems, such as security issues. I should not have to resort to posting in public to get the problem fixed. Sadly I'm unsure of any other way to proceed. -- Perry E. Metzger perry () piermont com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- http://www.chase.com/ vulnerability Perry E. Metzger (May 28)
- RE: http://www.chase.com/ vulnerability Brandon (May 28)
- Re: http://www.chase.com/ vulnerability Perry E. Metzger (May 28)
- RE: http://www.chase.com/ vulnerability gauntlet (May 28)
- <Possible follow-ups>
- RE: http://www.chase.com/ vulnerability Schmidt, Michael R. (May 28)
- Re: http://www.chase.com/ vulnerability Dark-Avenger (May 28)
- Re: http://www.chase.com/ vulnerability Perry E. Metzger (May 28)
- RE: http://www.chase.com/ vulnerability James Patterson Wicks (May 29)
- Re: http://www.chase.com/ vulnerability Perry E. Metzger (May 29)
- Re: http://www.chase.com/ vulnerability http-equiv () excite com (May 29)
- RE: http://www.chase.com/ vulnerability Brandon (May 28)