In my ongoing pursuit of flawed online finance offerings, I took advantage of a quick Google search to isolate some opportunities.
The second result caught my eye immediately as it:
1) should likely be disallowed via robots.txt.
2) utilized SSL, indicating a certain "value".
3) indicates broker web access and thus must be "important".
At first glance the SunGard Broker Browser looks very 1997, and a quick review of source code yields references to Front Page 3.0 and Visual Studio 6.0.
A closer look quickly produced an immediate cross-site scripting flaw right at the user_ID parameter.
Making use of the indispensable Tamper Data add-on, I invoked the key question. How much risk to consumer and brand confidence do poorly coded or ancient apps represent?
The results answered the question aptly. Enhanced phishing opportunities, PCI violations, potential SOX considerations, possible data breach implications...the list is long.
JPMorgan Chase was immediately responsive, quick to repair the issue, and offered this:
"We welcome reports of potential security vulnerability because they help us in the crucial role of protecting our customer information. We quickly follow up on any reports, assess the situation and determine what action needs to be taken."
An excellent response to be sure, and I applaud it.
That said, I'd like to pose a few more questions, and if answered, I will post them here as an update or approve the comment if submitted that way.
1) Is this really how brokers gain access to JPMorgan Chase resources?
2) If so, will you be updating the application to bring in into this century?
3) May I humbly suggest a wee bit o' security through obscurity? Something as follows should suffice:
# Bugger off
4) There are indications of this being a test system. If so, does it really need to be exposed to the Internet?
As news of endless data breaches, economic collapse, failing consumer confidence, and inherent Wall Street greed prevail, an online finance flaw like this leaves me at a bit of a loss.
If access for brokers is broken and could lead to data compromise, what are the implications?
Many, I think, particularly under the premise of the above mentioned news.
I've read a recent well written argument that we haven't fully grasped the potential impact. From Laura Wilson's
Facing the Information Security Hole in 2009:
The unacknowledged threat to our homeland and financial security, consider the following.
"It is now widely acknowledged by security experts from the federal government on down that the problem of data security breaches will get worse as the financial debacle worsens and companies cut spending and workers."
My point is this. I discover online finance flaws, I report them, they get fixed. That's great, but what about those that remain undiscovered and are far more critical than the less concerning than the cross-site scripting examples I use to make my point (and stay out of jail ;-))?
We are faced with uncertain times. Better security for web applications and systems serving as financial industry resources can help mitigate some of that uncertainty.
del.icio.us | digg | Submit to Slashdot