Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Plaintext passwords in Chase Online Bankingdorqus maximus (dorqusFREEK.COM)
Sun, 8 Mar 1998 14:16:14 -0500
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Chip Salzenberg: "Re: Perl bugs (was Re: another /tmp race: `perl -e')"
- Previous message: Theo de Raadt: "Re: another /tmp race: `perl -e' opens temp file not safely"
- In reply to: dorqus maximus: "Plaintext passwords in Chase Online Banking"
This is the text of an email that I sent to Chase Customer Service with regards to this problem: Date: 3/8/98 Subject: Security flaw in the software Hi. I have discovered that the users offline password is kept in plain text in a file on the PC. This is pretty bad, as I am sure that a lot of times the users offline password is the same as their online password, so all someone needs to get access to someone elses accounts is a few minutes alone wiht someone's PC who has the software on it. It is a trivial matter to get the plaintext offline password, and it requires no special tools or programs. I have exact details on how to do this, and I have already posted the directions to a full-disclosure security list. Please let me know what you are planning to do about this, as this is obviously a major problem. If the PC side of the software is insecure, how can I be guaranteed that the server side is secure as well? We'll see what reply I get from them (if any) Dorqus Maximus