Chase Online Banking Client Cleartext Password Storage

1998-03-08T00:00:00
ID OSVDB:2947
Type osvdb
Reporter OSVDB
Modified 1998-03-08T00:00:00

Description

Vulnerability Description

Chase Online Banking Client software has a flaw that causes it to store the customer's password in plaintext. Anyone with physical access to the machine can trivially find the password that controls access to their online banking. This allows an attacker to transfer money, check account balance and more.

Technical Description

In the Windows direcotry (typically C:\WINDOWS or similar), the COB.INI file contains the following lines:

[User List] User1=USERNAME User1DataPath=C:\Chase\USERNAME\ User1CustID=593845860683304858 LastUser=USERNAME

Using the "User1DataPath", look for BANKSYS.DAT in that directory. In that file is a "User1CustID" string (example: 593345860663302818) with the user's offline password next to it.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Never store your password "offline".

Short Description

Chase Online Banking Client software has a flaw that causes it to store the customer's password in plaintext. Anyone with physical access to the machine can trivially find the password that controls access to their online banking. This allows an attacker to transfer money, check account balance and more.

References:

Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1998_1/0347.html