Full Disclosure mailing list archives

Re: http://www.chase.com/ vulnerability

From: "Perry E. Metzger" <perry () piermont com>
Date: Sat, 29 May 2004 11:22:11 -0400


"James Patterson Wicks" <pwicks () oxygen com> writes:

The Chase home page has been like this for over a year.  I was a bit
worried after the change, so I just bypassed it.  If you feel more
secure logging in on an SSL page, just do the following:


You can also just go to https://chaseonline.chase.com/ -- that's not
the point. The point is that at the very least, they're training their
users to follow a very dangerous behavior -- entering passwords into
forms downloaded via untrusted paths. They're even telling their users
this is absolutely riskless by putting a lock icon right on the front
page and having a FAQ that explains that your password is totally
protected so you have nothing to worry about -- which is, of course,
untrue since there is no guarantee that their front page has not been
tampered with.

Since Chase changed this page over a year ago, I'm sure we would have
heard something if the Chase site was being exploited.


First, I doubt we would have heard anything. Chase might not even
know, for one thing -- I doubt they investigate cases of password
theft very deeply. Second of all, even if it hasn't been exploited
yet, it is inviting trouble.

For years people scoffed when I'd say "the idea of .exe
archive/installer files is terrifying. Microsoft is training its users
to run programs sent in email, and some day they're going to reap the
whirlwind." Well, eventually, someone decided to exploit that
stupidity.

Some day, some gang is going to start ripping of customers of Chase,
American Express, Wells Fargo, and other companies that are
perpetuating this foolishness, and then everyone is going to be
absolutely shocked that it is happening. Of course, the trivial thing
to do would be to simply follow the example of other banks, like
Citibank, that force you to enter your password in only on an https:
protected page.


-- 
Perry E. Metzger                perry () piermont com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

http://www.chase.com/ vulnerability Perry E. Metzger (May 28)
- RE: http://www.chase.com/ vulnerability Brandon (May 28)
  - Re: http://www.chase.com/ vulnerability Perry E. Metzger (May 28)
- RE: http://www.chase.com/ vulnerability gauntlet (May 28)
- <Possible follow-ups>
- RE: http://www.chase.com/ vulnerability Schmidt, Michael R. (May 28)
  - Re: http://www.chase.com/ vulnerability Dark-Avenger (May 28)
- Re: http://www.chase.com/ vulnerability Perry E. Metzger (May 28)
- RE: http://www.chase.com/ vulnerability James Patterson Wicks (May 29)
  - Re: http://www.chase.com/ vulnerability Perry E. Metzger (May 29)
- Re: http://www.chase.com/ vulnerability http-equiv () excite com (May 29)