This is the text of an email that I sent to Chase Customer Service with regards to this problem: Date: 3/8/98 Subject: Security flaw in the software Hi. I have discovered that the users offline password is kept in plain text in a file on the PC. This is pretty bad, as I am sure that a lot of times the users offline password is the same as their online password, so all someone needs to get access to someone elses accounts is a few minutes alone wiht someone's PC who has the software on it. It is a trivial matter to get the plaintext offline password, and it requires no special tools or programs. I have exact details on how to do this, and I have already posted the directions to a full-disclosure security list. Please let me know what you are planning to do about this, as this is obviously a major problem. If the PC side of the software is insecure, how can I be guaranteed that the server side is secure as well? We'll see what reply I get from them (if any) Dorqus Maximus
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:34 PDT