Bugtraq mailing list archives
Re: Plaintext passwords in Chase Online Banking
From: dorqus () FREEK COM (dorqus maximus)
Date: Sun, 8 Mar 1998 14:16:14 -0500
This is the text of an email that I sent to Chase Customer Service with regards to this problem: Date: 3/8/98 Subject: Security flaw in the software Hi. I have discovered that the users offline password is kept in plain text in a file on the PC. This is pretty bad, as I am sure that a lot of times the users offline password is the same as their online password, so all someone needs to get access to someone elses accounts is a few minutes alone wiht someone's PC who has the software on it. It is a trivial matter to get the plaintext offline password, and it requires no special tools or programs. I have exact details on how to do this, and I have already posted the directions to a full-disclosure security list. Please let me know what you are planning to do about this, as this is obviously a major problem. If the PC side of the software is insecure, how can I be guaranteed that the server side is secure as well? We'll see what reply I get from them (if any) Dorqus Maximus
Current thread:
- r00t Advisory [ LitterMaid Race Condition ], (continued)
- r00t Advisory [ LitterMaid Race Condition ] X (Mar 07)
- Re: another /tmp race: `perl -e' opens temp file not safely stanislav shalunov (Mar 08)
- Re: another /tmp race: `perl -e' opens temp file not safely Theo de Raadt (Mar 08)
- Updated list of crypto and security courses Avi Rubin (Mar 09)
- *sigh* another RH5 /tmp problem Mark A. Spencer (Mar 09)
- Re: *sigh* another RH5 /tmp problem Erik Troan (Mar 10)
- Re: Linux libc5 'bug' in mkstemp(). Andreas Jaeger (Mar 10)
- Linux libc5 'bug' in mkstemp(). Greg Alexander (Mar 09)
- Re: Linux libc5 'bug' in mkstemp(). Casper Dik (Mar 10)
- Re: Plaintext passwords in Chase Online Banking dorqus maximus (Mar 08)