mailing list archives
RE: http://www.chase.com/ vulnerability
From: "Schmidt, Michael R." <Michael.Schmidt () T-Mobile com>
Date: Fri, 28 May 2004 12:11:26 -0700
Yes, you are correct; when you go to the "contact us" page they require you to use the quite un-secure login page
first. That is brilliant. The credentials are passed along unsecured over the Internet. I am glad that my bank has
an actual SSL login page.
I sent them a message - one that the page said was "protected" via SSL, which it was not, it was however posted to a
page that had SSL, then redirected to a non protected thank you page. This is such poor security that it is
frightening. Do they not understand that all the posted data is being sent clear text?
Someone needs to be fired.
From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Perry E.
Sent: Friday, May 28, 2004 10:57 AM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] http://www.chase.com/ vulnerability
I don't know if this is the right place to note a vulnerability in an
individual web site, but it is the web site of one of the largest
banks in the world, and it is a serious vulnerability. I have given up
on finding anyone inside JP Morgan Chase to tell about it, and not for
lack of trying.
If you go over to http://www.chase.com/, you will note that there is a
form on the front page to enter your userid and password for your bank
account. Note that the page is downloaded without SSL -- it is an
ordinary http downloaded page.
If the page isn't mangled by evil people, this is vaguely safe because
the form posts the information via SSL, but as we all know, the world
is *not* free of bad guys, and a person with malice in their heart
could "man in the middle" attack you and redirect the form to a site of
their choosing. One could, of course, always read the html to make
sure it is pointing at the right place, but as no one ever does that
it is barely worth mentioning.
The man in the middle attack can be done in a variety of ways,
including spoofing DNS replies to victims computers or wholesale
interception of the the http request. Wireless also makes for some fun
games. I leave all that as an exercise to the reader -- how such an
attack is performed isn't important, only that Chase has left its
customers vulnerable to such an attack.
Note that Chase is effectively training their customers to enter in
vital passwords into forms downloaded in the clear, which is precisely
the opposite of what it should encourage. A major international bank
should know better. In addition, they display a small image of a
closed lock next to the insecure form -- thus training their users to
be confused about what the lock image in the corner of their browser
means, and about when they are and are not entering data securely.
I first reported this problem to Chase quite some time ago, and I
tried reporting it again to them about three months ago. I got
nowhere. I more recently resorted to asking a friend who worked at the
company to leak me the name of a Chase internal security person, and I
emailed them. They replied, saying they would look in to it, but sadly
no action whatsoever has been taken.
It is a shame that so many large companies have made it effectively
impossible for their customers to report problems, such as security
issues. I should not have to resort to posting in public to get
the problem fixed. Sadly I'm unsure of any other way to proceed.
Perry E. Metzger perry () piermont com
Full-Disclosure - We believe in it.
Full-Disclosure - We believe in it.