Re: Plaintext passwords in Chase Online Banking

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Michal Zalewski: ""patched" updatedb with RH 5.0 - root compromise"
• Previous message: stanislav shalunov: "Re: another /tmp race: `perl -e' opens temp file not safely"
• Maybe in reply to: dorqus maximus: "Plaintext passwords in Chase Online Banking"

Date: 3/8/98
Subject: Security flaw in the software

Hi. I have discovered that the users offline password is kept in plain
text in a file on the PC. This is pretty bad, as I am sure that a lot of
times the users offline password is the same as their online password, so
all someone needs to get access to someone elses accounts is a few
minutes alone wiht someone's PC who has the software on it. It is a trivial
matter to get the plaintext offline password, and it requires no special
tools or programs. I have exact details on how to do this, and I have
already posted the directions to a full-disclosure security list.

Please let me know what you are planning to do about this, as this is
obviously a major problem. If the PC side of the software is insecure,
how can I be guaranteed that the server side is secure as well?

We'll see what reply I get from them (if any)

Dorqus Maximus

• Next message: Michal Zalewski: ""patched" updatedb with RH 5.0 - root compromise"
• Previous message: stanislav shalunov: "Re: another /tmp race: `perl -e' opens temp file not safely"
• Maybe in reply to: dorqus maximus: "Plaintext passwords in Chase Online Banking"