-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Perry E.
Metzger
Sent: Friday, May 28, 2004 12:57 PM
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] http://www.chase.com/ vulnerability
I don't know if this is the right place to note a vulnerability in an
individual web site, but it is the web site of one of the largest
banks in the world, and it is a serious vulnerability. I have given up
on finding anyone inside JP Morgan Chase to tell about it, and not for
lack of trying.
If you go over to http://www.chase.com/, you will note that there is a
form on the front page to enter your userid and password for your bank
account. Note that the page is downloaded without SSL -- it is an
ordinary http downloaded page.
If the page isn't mangled by evil people, this is vaguely safe because
the form posts the information via SSL, but as we all know, the world
is *not* free of bad guys, and a person with malice in their heart
could "man in the middle" attack you and redirect the form to a site of
their choosing. One could, of course, always read the html to make
sure it is pointing at the right place, but as no one ever does that
it is barely worth mentioning.
The man in the middle attack can be done in a variety of ways,
including spoofing DNS replies to victims computers or wholesale
interception of the the http request. Wireless also makes for some fun
games. I leave all that as an exercise to the reader -- how such an
attack is performed isn't important, only that Chase has left its
customers vulnerable to such an attack.
Note that Chase is effectively training their customers to enter in
vital passwords into forms downloaded in the clear, which is precisely
the opposite of what it should encourage. A major international bank
should know better. In addition, they display a small image of a
closed lock next to the insecure form -- thus training their users to
be confused about what the lock image in the corner of their browser
means, and about when they are and are not entering data securely.
I first reported this problem to Chase quite some time ago, and I
tried reporting it again to them about three months ago. I got
nowhere. I more recently resorted to asking a friend who worked at the
company to leak me the name of a Chase internal security person, and I
emailed them. They replied, saying they would look in to it, but sadly
no action whatsoever has been taken.
It is a shame that so many large companies have made it effectively
impossible for their customers to report problems, such as security
issues. I should not have to resort to posting in public to get
the problem fixed. Sadly I'm unsure of any other way to proceed.
--
Perry E. Metzger perry@piermont.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Wells Fargo and Bank of America have similar home pages, although they do
offer a secure login page, I'm sure most users don't bother using it.
Thanks,
Brandon Buckley
