Re: [Full-Disclosure] http://www.chase.com/ vulnerability
From: Dark-Avenger (Dark-Avenger_at_comcast.net)
Date: 05/29/04
- Previous message: dkey: "Re: [Full-Disclosure] new rsync :) exploit rsync-too-open"
- In reply to: Schmidt, Michael R.: "RE: [Full-Disclosure] http://www.chase.com/ vulnerability"
- Next in thread: gauntlet_at_nym.hush.com: "RE: [Full-Disclosure] http://www.chase.com/ vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Fri, 28 May 2004 19:03:18 -0500
No, you are not correct. Take a look at the source of the page, and you
can see that the login is a POST operation to an https page.
Subject: RE: [Full-Disclosure] http://www.chase.com/ vulnerability
Date: Fri, 28 May 2004 12:11:26 -0700
From: Schmidt, Michael R. <Michael.Schmidt@T-Mobile.com>
To: 'Perry E. Metzger' <perry@piermont.com>,
full-disclosure@lists.netsys.com
>Yes, you are correct; when you go to the "contact us" page they require you to use the quite un-secure login page first. That is brilliant. The credentials are passed along unsecured over the Internet. I am glad that my bank has an actual SSL login page.
>
>I sent them a message - one that the page said was "protected" via SSL, which it was not, it was however posted to a page that had SSL, then redirected to a non protected thank you page. This is such poor security that it is frightening. Do they not understand that all the posted data is being sent clear text?
>
>Someone needs to be fired.
>
>-----Original Message-----
>From: full-disclosure-admin@lists.netsys.com [mailto:full-disclosure-admin@lists.netsys.com]On Behalf Of Perry E. Metzger
>Sent: Friday, May 28, 2004 10:57 AM
>To: full-disclosure@lists.netsys.com
>Subject: [Full-Disclosure] http://www.chase.com/ vulnerability
>
>
>I don't know if this is the right place to note a vulnerability in an
>individual web site, but it is the web site of one of the largest
>banks in the world, and it is a serious vulnerability. I have given up
>on finding anyone inside JP Morgan Chase to tell about it, and not for
>lack of trying.
>
>If you go over to http://www.chase.com/, you will note that there is a
>form on the front page to enter your userid and password for your bank
>account. Note that the page is downloaded without SSL -- it is an
>ordinary http downloaded page.
>
>If the page isn't mangled by evil people, this is vaguely safe because
>the form posts the information via SSL, but as we all know, the world
>is *not* free of bad guys, and a person with malice in their heart
>could "man in the middle" attack you and redirect the form to a site of
>their choosing. One could, of course, always read the html to make
>sure it is pointing at the right place, but as no one ever does that
>it is barely worth mentioning.
>
>The man in the middle attack can be done in a variety of ways,
>including spoofing DNS replies to victims computers or wholesale
>interception of the the http request. Wireless also makes for some fun
>games. I leave all that as an exercise to the reader -- how such an
>attack is performed isn't important, only that Chase has left its
>customers vulnerable to such an attack.
>
>Note that Chase is effectively training their customers to enter in
>vital passwords into forms downloaded in the clear, which is precisely
>the opposite of what it should encourage. A major international bank
>should know better. In addition, they display a small image of a
>closed lock next to the insecure form -- thus training their users to
>be confused about what the lock image in the corner of their browser
>means, and about when they are and are not entering data securely.
>
>I first reported this problem to Chase quite some time ago, and I
>tried reporting it again to them about three months ago. I got
>nowhere. I more recently resorted to asking a friend who worked at the
>company to leak me the name of a Chase internal security person, and I
>emailed them. They replied, saying they would look in to it, but sadly
>no action whatsoever has been taken.
>
>It is a shame that so many large companies have made it effectively
>impossible for their customers to report problems, such as security
>issues. I should not have to resort to posting in public to get
>the problem fixed. Sadly I'm unsure of any other way to proceed.
>
>
>--
>Perry E. Metzger perry@piermont.com
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: dkey: "Re: [Full-Disclosure] new rsync :) exploit rsync-too-open"
- In reply to: Schmidt, Michael R.: "RE: [Full-Disclosure] http://www.chase.com/ vulnerability"
- Next in thread: gauntlet_at_nym.hush.com: "RE: [Full-Disclosure] http://www.chase.com/ vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
