I discovered a large security flaw in the Chase Online Banking software. (version 3.00, 11/14/97) When you install the software, you can select an offline password to run the program, so that unauthorized people cannot look at your balances, number of accounts, etc. (The software allows you to work offline, then connect via modem when you want to initiate transfers, etc.) Chase does not even encrypt the offline password, but rather leaves it in plain text. For each user that uses the software, there is a directory created with that username under the main directory (i.e. C:\Chase\USERNAME). If you have local access to a persons PC who has this software installed on their computer, you can get their offline password (which odds are is their online password is well) Here's how to do it. CD C:\WINDOWS (or wherever windows is installed on the machine) EDIT COB.INI, and look for the following section (the file is pretty small) [User List] User1=USERNAME User1DataPath=C:\Chase\USERNAME\ User1CustID=593845860683304858 LastUser=USERNAME next, CD C:\Chase\USERNAME EDIT BANKSYS.DAT and look for the User1CustID string (593845860683304858 in this case), the word right next to it is the users offline password. you can now run C:\Chase\cob.exe, and login as the user using their offline password. There's a good chance that the offline password is the same as their online password. Once you are connected, you can make see their current balance information, make transfers, even make payments. I have not yet brought this to the attention of Chase, as I figured I'd post it here first, then let them know that I have publicly disclosed this information, so it will be in their best interest to fix it. Dorqus Maximus
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:30 PDT