[6260] in bugtraq
Re: Plaintext passwords in Chase Online Banking
daemon@ATHENA.MIT.EDU (dorqus maximus)
Mon Mar 9 13:45:41 1998
Date: Sun, 8 Mar 1998 14:16:14 -0500
Reply-To: dorqus maximus <dorqus@FREEK.COM>
From: dorqus maximus <dorqus@FREEK.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19980308021557.03309@freek.com>; from dorqus maximus on Sun,
Mar 08, 1998 at 02:15:57AM -0500
This is the text of an email that I sent to Chase Customer Service with
regards to this problem:
Date: 3/8/98
Subject: Security flaw in the software
Hi. I have discovered that the users offline password is kept in plain
text in a file on the PC. This is pretty bad, as I am sure that a lot of
times the users offline password is the same as their online password, so
all someone needs to get access to someone elses accounts is a few
minutes alone wiht someone's PC who has the software on it. It is a trivial
matter to get the plaintext offline password, and it requires no special
tools or programs. I have exact details on how to do this, and I have
already posted the directions to a full-disclosure security list.
Please let me know what you are planning to do about this, as this is
obviously a major problem. If the PC side of the software is insecure,
how can I be guaranteed that the server side is secure as well?
We'll see what reply I get from them (if any)
Dorqus Maximus
