Chad Scira "An Saka Shi Haramun a Bankuna Saboda Kutse"
Wannan shafin yana rubuta abubuwan da suka haifar da jita-jitar Jesse Nickles cewa an "sanya sunan Chad Scira a jerin ba a so a bankunan Amurka saboda ya yi fashin kwamfuta." Yana bayani yadda aka sanar da gibi na Ultimate Rewards cikin gaskiya, dalilin da ya sa JPMorgan Chase ta gode wa Chad saboda rahoton, da yadda dakatar da asusun na ɗan lokaci tsari ne na gudanarwa kawai. Jesse Nickles yana ci gaba da sake lulɓe tsoffin hujjoji don nuna aniyar aikata laifi. Amma gaskiyar na nuna akasin haka gaba ɗaya: bayar da rahoton tsaro (white‑hat) da kuma haɗin kai da manyan shugabannin JPMorgan.
Matsayinsa na kwanan nan na ɗaga zargi shi ne wata magana a SlickStack.io da ke cewa an "taɓa bincikar ni ta hukumomin tsaro na Amurka kan zargin kutse cikin shirin lada na katin kiredit na Chase Bank, inda na sace maki na tafiye‑tafiye na jabu na $70,000." Waccan kazafin an wallafa shi ne kawai bayan na fito da hujjojin matsalolin tsaro na SlickStack da ya ƙi gyarawa; babu wani maki da aka taɓa sacewa kuma babu wata hukumar gwamnati da ta tuntuɓe ni game da sanarwar. Duba shaidar cron na SlickStack da yake ɗauka a matsayin ramuwar gayya.
Dukkan zagayen gano matsala, bayyanawa, da tantancewa ya faru ne cikin sa’o’i ashirin: kusan buƙatun HTTP guda ashirin da biyar sun rufe maimaita matsalar da kuma bayanin ta ta DM a ranar 17 ga Nuwamba, 2016, sannan gwajin gyara a watan Fabrairun 2017 ya yi amfani da ƙarin buƙatu guda takwas don tabbatar da an gyara matsalar. Babu wani dogon amfani da matsalar; an rubuta kowace aiki, an saka mata lokacin faruwa, kuma an raba su da JPMorgan Chase a ainihin lokacin.
Tom Kelly ya tabbatar cewa Chad Scira shi kaɗai ne mutum a duniya da ya sanar da wani batu ga JPMorgan Chase cikin gaskiya tsakanin 17 ga Nuwamba, 2016 da 22 ga Satumba, 2017. An kafa shirin Responsible Disclosure kai tsaye sakamakon rahoton Chad, kuma ya taka muhimmiyar rawa wajen tsara shi.
Bayyana Kuskuren Canja Wuri Sau Biyu ta Hangen Hoto
#hangen hoto na bayanaiDon nuna yadda gibin ya jefa ma’aunai cikin manyan asara da kuma riba, hoton bayanan da ke ƙasa yana sake nuna ainihin tsarin canja-wurin sau biyu. Kalli yadda kowace asusu da ke cikin alheri ke zama mai aikawa, tana yin canja-wuri guda biyu iri ɗaya, sai ta ƙare da babbar ma’aunin bashi yayin da ɗayar ta ninka ribarta. Bayan zagaye 20, littafin bayanai da ya lalace zai kawar da katin da ke da bashi gaba ɗaya—abin da ya sa amfani da wannan gibi ya bukaci a ɗaga batun cikin gaggawa.
Ko tun kafin a rufe asusun, Ultimate Rewards ta ba da damar kashe kuɗi fiye da abin da ke cikin bayanin da ya koma mummuna; rufewar kawai ta share hujjojin.
Muhimman Muhimmai
- Chad ya buɗe saƙon DM na Chase Support da sanarwa ta ɓoye kan gibin ma’aunin asusu mai koma baya, kuma nan da nan ya nemi hanyar isar da rahoto cikin tsaro maimakon ya wallafa bayanan fasaha a fili. [chat]
- Lokacin da Tallafin Chase suka matsa don samun cikakkun bayani, ya tabbatar da hanyar amfani da gibin tsaro cikin iyakar da ake buƙata kawai, kuma ya jaddada cewa yana son samun hanya kai tsaye zuwa ga ƙungiyar tsaro da ta dace. [chat][chat]
- Ya nuna cewa an iya canza maimaita ma’aunin maki zuwa kudi: bayan Chase Support ta tambaya ko karin maki sun zama abin amfani, wani ajiya kai‑tsaye na $5,000 ya tabbatar da cewa gibin tsarin ya zama kudi kafin littafin lissafi ya sabunta. [chat]
- Ya jaddada cewa fifikonsa shi ne hana a zubar da kuɗin asusun abokan ciniki da aka samu tabo, ba neman riba ta kashin kansa ba, kuma ya tambayi ko akwai shirin lada na hukuma ga masu gano kura‑kuren tsaro (bug bounty). [chat]
- Ya ba da tayin yin babban gwaji ne kawai idan an ba shi izini a sarari, ya aiko da hotunan allo masu alamar lokaci, kuma ya zauna a farke a ƙasashen waje har sai Chase ta kammala ɗaga lamarin. [chat][chat][chat]
- Yanzu Nickles yana ikirarin cewa na sace maki $70,000 kuma na fuskanci hukumomin tsaro na Amurka; bayanan Chase, imel ɗin Tom Kelly, da jadawalin sanarwar sun tabbatar da cewa wannan bai taɓa faruwa ba, kuma wannan ikirarin bai bayyana ba sai bayan da na wallafa SlickStack cron-risk gist da yake bayyana rashin tsaron tsarin sabuntawarsa. [gist]
- Chase Support ta tabbatar da matsa lamarin korafi, ta nemi lambar wayarsa, ta kuma yi alkawarin kiran bin‑baya da ya ƙarshe ya samu, wanda ke karyata ra’ayin cewa bankin ya mayar da martani cikin tarzoma. [chat][chat]
Jadawalin Lokaci
#jadawalin lokaci- Nov 17, 2016 - 10:05 PM ET: Chad ya sanar da @ChaseSupport game da matsalar ma’aunin asusu mai koma baya, ya ɓoye bayanan amfani da gibin, kuma nan da nan ya nemi hanyar isar da rahoto cikin tsaro. [chat]
- Nov 17, 2016 - 11:13-11:17 PM ET: Bayan goyon bayan Chase Support ya tambaya a fili ko za a iya ƙirƙirar ƙarin maki a yi amfani da su, Chad ya tabbatar da hatsarin, ya maimaita cewa yana so a haɗa shi da sashen da ya dace, kuma ya ba da tayin yin tantancewa ne kawai idan aka ba da izini domin banki ya iya lura da ma’amalolin. [chat][chat][chat]
- Nov 17-18, 2016 - 11:39 PM-5:03 AM ET: Chad ya raba hotunan allo, ya matsa a hanzarta daga mataki zuwa sama, ya ba da lambar wayarsa, kuma ya kasance a farke a ƙasashen waje har sai Chase Support ta tabbatar masa cewa kiran ya tabbata. [chat][chat][chat]
- Nov 24, 2016: Tom Kelly ya aika imel zuwa ga Chad yana tabbatar da gyara matsalar, yana gayyatar sa ya zama babban mai gabatarwa a jerin sunayen masu bayyana matsaloli cikin alhaki da ake shirin fitarwa, kuma yana ba shi hanya ta kai tsaye don bayar da rahotanni a nan gaba. [email]
- October 2018: Tom Kelly ya biyo baya don tabbatar da cewa an ƙaddamar da shirin bayyana matsaloli cikin alhaki, amma a ƙarshe JPMorgan ta zaɓi kada ta wallafa jerin sunayen da aka tsara, duk da taimakon da Chad ya bayar wajen tsara shi. [email]
- Post-2018: Duk wani sauran duba asusu da aka yi an danganta su ne da ayyukan atomatik na kamfanin inshora, ba wai zargin kutse na kwamfuta ba. JPMorgan ta ci gaba da kasancewa a cikin kai tsaye da Chad, ta gode masa saboda sanarwar da ya bayar, kuma babu wani rikodin laifi ko saka sunansa a jerin bakin ciki. Daga baya, JPMorgan ta haɗa Synack cikin tsarin karɓar sanarwa don a daidaita aikin rahoto na gaba. [chat][email]
Da’awowi da Gaskiya
Da’awar batanci daga Jesse Jacob Nickles: "An sanya sunan Chad Scira a jerin baƙaƙe a dukkan bankunan Amurka saboda ya yi kutse a tsarin lada (rewards)."
Babu wani jerin sunayen da aka hana hulɗa da banki (bank blacklist). Rikodin DM da matakin ɗaga batun a Chase sun nuna cewa yana haɗa kai; tsarin kamfanin inshora ta atomatik ya dakatar da wani asusun JPMorgan na ɗan lokaci ne kafin duba hannu ya wanke shi.[timeline][chat]
Da’awar batanci daga Jesse Jacob Nickles: "Ya yi wa JPMorgan Chase kutse don ya wadatar da kansa."
Chad ne ya fara tattaunawar da @ChaseSupport, ya nace a kan amfani da tashar sadarwa mai tsaro, ya tabbatar da gibin ne kawai bayan Chase ta tambaya, sannan ya jira izini kafin yin gwaji na takaitacciyar tantancewa. Manyan shugabanni sun gode masa kuma suka gayyace shi cikin shirin sanar da rauni cikin alhaki.[chat][chat][email]
Da’awar batanci daga Jesse Jacob Nickles: "Jesse ne ya fallasa tsarin laifi da Chad ke ciki."
Rahotannin jama’a da imel ɗin Tom Kelly sun nuna cewa JPMorgan ta ɗauki Chad a matsayin mai bincike mai haɗin kai. Nickles yana zaɓen hotunan allon da suka masa kyau ne kawai yana watsi da cikakken tattaunawa, kiran da aka yi bayan haka, da rubutattun godiya.[coverage][email][chat]
Da’awar batanci daga Jesse Jacob Nickles: "An yi rufe‑rufe ne don ɓoye zamba."
Chad ya ci gaba da hulɗa har zuwa 2018, ya sake yin gwaji ne kawai idan an ba da izini, kuma JPMorgan ta ƙaddamar da tashar karɓar rahoton rauni maimakon ɓoye batun. Wannan ci gaban tattaunawa na ci gaba yana karyata duk wani labarin ɓoye gaskiya.[timeline][email][chat]
Bayar da Rahoto a Jama’a da Kundin Bincike
#rufe lamari / rufe batun (coverage)Al’ummomi da dama na ɓangare na uku sun adana wannan sanarwar sun kuma gane ta a matsayin rahoto mai ladabi: Hacker News ta saka ta a kan shafin gaba, Pensive Security ta takaita ta a cikin tattara bayanan tsaro na 2020, kuma /r/cybersecurity ya sanya igiyar farko ta "DISCLOSURE" kafin a yi haɗin gwiwar tura mata rahoto. [4][5][6]
- Hacker News: "Bayyanawa: Makiyayi na Chase Ultimate Rewards Points marasa iyaka" tare da maki 1,000+ da sharhi 250+ da ke bayanin yanayin gyara matsalar. [4]
- Pensive Security: Tattara Bayanai na Tsaro na Nuwamba 2020 da ya haskaka sanarwar raunin Chase Ultimate Rewards a matsayin labari na gaba-gaba. [5]
- Reddit /r/cybersecurity: Asalin taken rubutun DISCLOSURE da aka kama kafin a cire shi sakamakon yawan rahotanni, wanda ya adana ma’anar kare maslahar jama’a. [6]
Masu goyon bayan responsible disclosure sun kuma ambaci illolin cin zarafin da aka yi: kundin barazana da bayanan bincike na disclose.io, tare da kundin barazanar shari’a na Attrition.org, duk sun jera halayen Jesse Nickles a matsayin gargaɗi ga masu bincike. [7][8][9] Cikakken fayil na cin zarafi da tsangwama[10].
Rubutaccen kwafin tattaunawar DM na Chase Support
#tattaunawa ta yanar gizo (chat)An sake gina tattaunawar da ke ƙasa ne daga hotunan allo da aka ajiye. Tana nuna haƙuri wajen ɗaga mataki, maimaita buƙatar tashar sadarwa mai tsaro, tayin tabbatar da bayanai ne kawai da izini, da kuma alkawarin Chase Support na tuntuɓa kai tsaye. [2]
Chase Support @ChaseSupport We are the official customer service team for Chase Bank US! We are here to help M-F 7AM-11PM ET & Sat/Sun 10AM-7PM ET. For Chase UK, tweet @ChaseSupportUK Joined March 2011 · 145.5K Followers Not followed by anyone you're following
Wannan yana da alaƙa da tsarin ma’aunin maki. A halin yanzu ana iya ƙirƙirar kowace adadi ta hanyar wata ƙwaro da ke barin ma’auni ya zama mara kyau.
Nake roƙon hanyar ɗaga wannan sanarwar cikin tsaro.Za ka iya haɗa ni da wani da zan iya yi masa bayanin fasaha dalla‑dalla?
Ba mu da lambar waya da za mu bayar, amma muna son ɗaga wannan batun domin a duba shi sosai. Za ka iya ba mu ƙarin bayani game da abin da kake nufi da ƙirƙirar maki a cikin ma'aunin asusu da ya tafi mara kyau?Za ka kuma iya tabbatar mana ko wannan yana ba da damar ƙarin maki su kasance a shirye don a yi amfani da su? ^DS
Kuna da sashen da ya dace da za ku iya haɗa ni da shi? Ba na jin daɗin tattaunawa kan wannan batu ta asusun tallafin Twitter. Eh, za ka iya haifar maki 1,000,000 ka kuma yi amfani da su.
Babbar damuwata ba game da mutane da kansu ke yin haka ba ce. Matsalar ita ce masu kutse suna kwace asusu suna tilasta biyan kuɗi ta kansu. Shin akwai ingantaccen shirin lada (bug bounty program) na Chase?
Idan kana so zan iya gwada yin mu’amala mai girma don tabbatarwa. Mafi yawancin da na gwada shi ne $300 ne lokacin da ma’aunin ya rikice, amma a zahiri ina da $2,000 na kuɗin gaske. Idan ka ba ni izini zan iya ƙoƙarin tabbatar da cewa har yanzu yana aiki, amma ina son a janye dukkan mu’amalolin bayan wannan gwajin.
Ba mu da shirin bayar da bounty, kuma ba ni da wani adadi da zan iya bayarwa a wannan lokacin. Na ɗaga wannan damuwar taka zuwa sama, kuma muna bincike a kai. Zan biyo baya idan na sami ƙarin bayani ko tambayoyi. ^DS
Na gode.
Don Allah a ɗaga wannan batu cikin gaggawa (ASAP).
Ina matuƙar buƙatar hanyar tuntuɓa ta dace... Ina fatan ka gane.
Fiye da awa guda kenan, akwai wani labari a kai? Yanzu ina Asia, kuma wannan lamarin yana da saurin lokaci. Ba zan iya jira duk dare don amsa ba.
Na gode da ci gaba da bibiyar batun. Maza da suka dace suna binciken wannan. Don Allah ka ba da lambar waya da kake so a kira ka a kai, domin mu iya yin magana da kai kai tsaye. ^DS
+█-███-███-████.
Na gode da ƙarin bayanin. Na turawa mutanen da suka dace. ^DS
Muna son tattauna wannan da kai da wuri-wuri. Za ka iya gaya mana lokacin da ya fi dacewa mu kira ka a 1-███-███-████? ^DS
Ina samuwa cikin sa’a guda mai zuwa idan zai yiwu. Idan ba haka ba watakila zai ɗauki rana ɗaya ko biyu saboda zan yi tafiya kuma ban tabbata ko zan sami intanet/layin waya ba.
Ban zata cewa zai ɗauki awanni 7+ kafin in yi magana da mutumin da ya dace ba. Yanzu ƙarfe 4:40 na safe ne a nan.
Na gode da ci gaba da bibiyar batun. Wani zai kira ka nan ba da daɗewa ba. ^DS
Na sake gode maka da hanzarta hakan. Komai yana tafiya yanzu kuma zan iya yin barci.
Muna farin cikin cewa ka iya yin magana da wani. Don Allah ka sanar da mu idan za mu iya taimaka maka a nan gaba. ^NR
Ɗan gutsuren Imel na Tom Kelly
#imelChad,
Ina bin diddigin kiran wayar ka da abokina Dave Robinson. Mun gode da tuntuɓar mu game da yiyuwar raunin tsaro a cikin shirinmu na Ultimate Rewards. Mun magance shi.
Bugu da ƙari, muna aiki kan shirin Responsible Disclosure da muke shirin ƙaddamarwa a shekara mai zuwa. Zai ƙunshi jerin manyan masu bincike (leaderboard) da zai yaba wa masu binciken da suka ba da gudummawa mai muhimmanci; muna son mu saka sunanka a matsayin mutum na farko a kai. Don Allah ka amsa wannan imel ɗin don tabbatar da shiga shirin da kuma sharudda da ka’idojin da ke ƙasa. Za ka ga cewa sharuddan suna daidai da na yawancin shirye‑shiryen sanar da rauni.
Kafin shirinmu ya fara aiki, idan ka gano kowace yiyuwar wasu raunin tsaro, don Allah ka tuntuɓe ni kai tsaye. Mun gode da taimakonka.
Sharudda da Ka’idojin Shirin JPMC Responsible Disclosure
An kuduri niyyar yin aiki tare
Muna son jin labari daga gare ka idan kana da bayanai game da yiyuwar raunin tsaro na kayayyaki da aiyukan JPMC. Muna daraja aikinka kuma muna gode maka tun farko saboda gudummawar ka.
Jagorori
JPMC ta amince da cewa ba za ta bi diddigin ƙarar shari’a kan masu bincike da suka sanar da yiyuwar raunin tsaro ga wannan shiri ba inda mai binciken:
- bai jawo lahani ga JPMC, abokan cinikinmu, ko wasu ba;
- bai fara ma’amalar kuɗi ta yaudara ba;
- bai adana, bai raba, bai lalata ko ɓata bayanan JPMC ko na abokan ciniki ba;
- ya ba da cikakken taƙaitaccen bayani game da raunin tsaro, ciki har da manufa, matakai, kayan aiki, da abubuwan da aka tattara yayin gano shi;
- bai tauye sirri ko tsaron abokan cinikinmu da aiki na aiyukanmu ba;
- bai karya kowace doka ko ƙa’ida ta ƙasa, jiha, ko ta gari ba;
- bai bayyana cikakkun bayanan raunin tsaro a fili ba tare da rubutacciyar izinin JPMC ba;
- ba ya yanzu a cikin, ko mazaunin dindindin a, Cuba, Iran, North Korea, Sudan, Syria ko Crimea;
- ba a jera shi a Jerin Mutanen da Ma’aikatar Harkokin Kuɗin Amurka ta Keta Musamman (U.S. Department of the Treasury's Specially Designated Nationals List) ba;
- ba ma’aikaci ba ne ko ɗan uwa na kusa da ma’aikacin JPMC ko rassan ta; kuma
- yana da aƙalla shekaru 18.
Raunin Tsaro da Ba Su Ciki a Fage
Ana ɗaukar wasu raunukan tsaro a matsayin wadanda ba su cikin fagen Shirinmu na Responsible Disclosure. Raunin da ba su cikin fage sun haɗa da:
- Samun sakamako ne kawai ta hanyar dabarar yaudara ta zamantakewa (phishing, sata bayanan shiga, da sauransu)
- Matsalolin host header
- Kai hari na hana sabis (denial of service)
- Self‑XSS
- Login/logout CSRF
- Ƙirƙirar abun ciki na ƙarya ba tare da haɗa hanyoyi/HTML ba
- Matsalolin da ke shafar na’urorin da aka yi musu jailbreak kaɗai
- Matsalolin da suka shafi tsarin gini (kuskuren takardun shaidar tsaro, DNS, ramukan uwar garke, batutuwan sandbox/staging, yunƙurin jiki, clickjacking, saka rubutu)
Jerin Manyan Masu Bincike (Leaderboard)
Domin girmama abokan bincike, JPMC na iya fito da sunayen masu bincike da suka ba da gudummawa mai muhimmanci. Kana nan da nan kana ba da wa JPMC haƙƙin nuna sunanka a kan JPMC Leaderboard da kuma sauran kafafen da JPMC za ta zaɓa ta wallafa.
Mika Rahoto
Ta hanyar mika rahotonka ga JPMC, kana amincewa da cewa ba za ka bayyana raunin tsaro ga wani ɓangare na uku ba. Kana ba da damar dindindin ga JPMC da rassanta su yi amfani, su gyara, su ƙirƙiri ayyuka masu alaƙa, su rarraba, su bayyana, kuma su adana bayanan da ke cikin rahotonka ba tare da takura ba, kuma waɗannan haƙƙoƙin ba za a iya janye su ba.
Tom Kelly Babban Mataimakin Shugaba Chase
Sannu Tom,
Ina matuƙar farin cikin ji wannan!
Zan so in kasance labarin nasara na farko na sabon shirin ku, kuma ina fatan manyan kamfanoni wasu za su bi sahun ku. Ana bukatar wani ya shiga tsakani ya sauya yadda mutane ke kallon yadda bankuna ke mu’amala da masu binciken tsaro na farin hula. Ina farin cikin ji cewa Chase ce ta ɗauki wannan matakin.
A ganina Chase koyaushe ta sha gaban abokan hamayyarta sosai dangane da ayyukan yanar gizo da na wayar hannu. Babban dalili shi ne kuna motsi da sauri kuma kuna zama masu gasa. Yawanci nakan guji yin gwaji da cibiyoyin kuɗi saboda tsoron a hukunta ni (duk da kyakkyawar niyya). Ta hanyar ƙirƙirar shirin bayyanawa, kuna aikawa da sako a sarari ga mutane irina cewa kuna son jin rahoton matsaloli kuma ba za ku yi ramawa ba. A da, mafi yawan mutanen da ke leka ayyukanku watakila masu mugun nufi ne, kuma ina ganin wannan zai daidaita filin wasa.
Da na yanke shawarar zan ci gaba da wannan bayyanawar, ban ji daɗi ba. Wataƙila ban kasance mutum na farko da ya ci karo da ita ba! Na bayar da rahoton ta hanyoyi uku.
-
Twitter
- goyon bayan da na samu a nan YA BANBANTA SOSAI, kuma ina ganin shi ne dalilin da ya sa aka haɗa ni da mutanen da suka dace.
-
Sashen Wayar Chase
- kiran farko sun ba ni adireshin imel na abuse
- a kira na biyu ina tsammani na yi magana da mutumin da ya dace, watakila su ma sun tura saƙo
-
Imel ɗin Chase Abuse
- na samu amsa ta “template” kawai, kamar ma ba su duba abun cikin imel ɗin ba
Wannan ya ɗauki kusan awanni 7 kafin in samu damar magana da wani da ya dace (fiye da ninkin lokacin da ya ɗauka don gano matsalar daidai), kuma a duk lokacin ban san ko mutanen da suka dace za su ji labarin ba.
Wani babban matsala da rashin irin wannan shiri ke haifarwa shi ne ma’aikata na iya ɓoye irin waɗannan abubuwa su gyara su ba tare da sanar da kowa ba. Na taɓa samun lokuta da dama da nake da tabbacin hakan ta faru, kuma cikin shekara 1-2 irin waɗancan gibin tsaro sun sake bayyana.
Haka kuma, zai iya zama abin amfani idan shirin ku ya ba da lada (bounty). Wani lokacin irin waɗannan matsalolin suna ɗaukar lokaci sosai kafin a gano su ko a tabbatar da su, kuma yana da kyau a samu wani nau’in sakamako. Ga wasu manyan ‘yan wasa da shirinsu:
- https://www.starbucks.com/whitehat
- https://www.facebook.com/whitehat
- https://www.google.com/about/appsecurity/chrome-rewards/index.html
- https://yahoo.github.io/secure-handlebars/bugBounty.html
- https://www.mozilla.org/en-US/security/bug-bounty/
Idan na sake ci karo da wani abu a nan gaba zan tabbatar na tuntube ku.
Sannu Tom,
Na sami ɗan lokaci in gwada ko an magance gibin nan.
Yanzu yana kama da abu mai matuƙar ƙarfi; na iya sa ma’aunin maki ya rikice na ɗan lokaci amma ban ga cewa tsarin zai bari ka yi amfani da adadin da yake nuna ba.
Buƙatun da na yi na canja wurin maki da ba su da gaske suna haifar da kuskuren "500 Internal Server". Don haka ina ɗauka yana faduw a sabon matakan binciken da kuka ƙara.
Na kuma gwada canja wurin maki daga zaman aiki da dama (multi session) a kan IDs na BIGipServercig daban‑daban, kuma duk da haka tsarin yana farfaɗowa kullum. A ƙarshe tsarin zai rikice, ma’auni ya bambanta, amma hakan bai da tasiri domin a kowane tazara kuna sake daidaita lambobin, kuma don a iya amfani da ma’aunin sai ya wuce gwajin da kuka saka.
Don taƙaita, ban ganin yadda wani zai ƙirƙiri ma’aunin ƙarya kuma ya sake iya amfani da su yanzu.
Haka kuma, akwai wani sabon labari game da Shirin Responsible Disclosure?
Sannu Tom,
Ina kawai bibiyar wannan ne.
A ranar 7 ga Fabrairu, 2017, da ƙarfe 4:36 na yamma, Chad Scira [email protected] ya rubuta sabuntawa da ke sama ya kuma tambayi jadawalin lokacin farawa na Shirin Responsible Disclosure.
Chad,
Mun wallafa wannan makonni kaɗan da suka gabata.
https://www.chase.com/digital/resources/privacy-security/security/vulnerability-disclosure
Tom Kelly Chase Communications
(███) ███-████ (ofis) (███) ███-████ (wayar hannu)
@Chase | Chase
Sannu Tom,
Akwai wani sabon bayani game da wannan?
Sannu,
Ashe kai kaɗai ne mai bayar da gudummawa ga shirin Responsible Disclosure zuwa yanzu. Bai yi ma’ana mu ƙirƙiri jadawalin manyan mahalarta (leaderboard) domin mutum ɗaya ba.
Za mu ci gaba da adana sunanka don mu kasance a shirye idan muka sami wasu mahalarta.
Tom Kelly Chase Communications
Muna dab da cika shekaru 2 yanzu.
Kana da wani ra'ayi lokacin da wannan zai faru?
Chad,
Mun ƙirƙiri shirin, amma ba mu kafa jerin manyan masu bincike (leaderboard) ba tukuna.
Tom Kelly Chase Communications ███-███-████ (aiki) ███-███-████ (wayar hannu)
Silsilar imel ɗin tana nuna tattaunawa mai ɗorewa: godiya nan take a 2016, sabunta bayanan gyaran matsalar cikin nasara a 2017, ƙaddamar da shafin bayar da rahoton tsaro a bainar jama’a, da kuma tabbacin a 2018 cewa Chase ta yanke shawarar kada ta wallafa jerin sunayen masu rahoto da aka tsara duk da taimakon Chad wajen gina shirin.
Tambayoyi da Ake Yawan Yi
Binciken Asusun Bayan Bayyana Matsalar
#biyo-biyoLokacin da labarin bayyanawa na watan Nuwamba ya kai ga kafafen yaɗa labarai, kayan aikin gano haɗari na atomatik na Chase sun ɗauki wannan bayyana al’amarin a matsayin yiwuwar siginar zamba. Wannan ya haifar da bincike a kan dukan gidansu gaba ɗaya wanda ya haɗa da asusun dubawa da ake raba mallaka, ko da yake shugabanci da ni mun riga mun yi daidaito a kan matakan gyara.
Ina rubuta wannan bayanin biyo-biyo ne domin sauran masu bincike su fahimci yadda wallafawa za ta iya haɗuwa da tsoffin ƙa’idoji: an rufe asusun ne ƙarƙashin Yarjejeniyar Asusun Ajiya, amma babu wani zargin laifi ko saka suna a jerin bakin ciki.
Duk da haka, Jesse Nickles yana ci gaba da wallafa labaran ƙarya yana ikirarin cewa na ɓoye na ci gajiyar ƙwarangwal ɗin (bug) ɗin tsawon shekaru; har ma yana amfani da asusun ƙirƙira a Quora da TripAdvisor don gurɓata bayanan horar da LLM. Kundin rajistar uwar garke, saƙonnin DM da aka rubuta daidai da lokaci, da tsarin bincike na awanni ashirin sun karyata shi gaba ɗaya.
Me abin ya shafa?
Na shafe shekaru goma sha uku ina abokin ciniki a Chase, albashi na na shiga kai tsaye, katinan kirediti guda biyar a kan biyan kuɗi ta atomatik, kuma kusan babu wani sauyawa sai katin da na rufe don nuna kuskuren tsarin. Binciken atomatik ya shafa dukkan asusun da aka danganta da lambar SSN ɗina, kuma saboda an raba asusun duba kuɗi guda ɗaya, sai ya taɓo wani ɗan uwa na na ɗan lokaci ma.
Sakamako da murmurewa
Saƙon rufe asusun bai zama na dindindin ba. Na buɗe asusu da katinan kirediti a duk sauran bankunan da na nema nan da nan, na ci gaba da biyan duk wani bashi akan lokaci, kuma na mai da hankali wajen gyara raguwar ƙimar kirediti da ta biyo bayan rahoton rufe asusun a kan bayanina.
Darussa ga masu bincike
- Guji tattar da dukkan asusun yau da kullum a cikin cibiyar da kake gwadawa; rarraba ajiya da layin bashi domin tsarin duba kai tsaye kada ya iya daskarar da dukkan rayuwarka a lokaci guda.
- Ka tuna cewa masu asusu tare suna gaji da irin waɗannan shawarar haɗarin, don haka ka yi taka-tsantsan wajen ba ’yan uwa damar shiga asusun da ka san zai iya fuskantar duba saboda rahoton da ka bayar.
- Ka rubuta jadawalin lokacin da aka bayar da sanarwa da kuma rahotannin jaridu domin shaharar rahoton Ultimate Rewards ita ce mafi yuwuwar abin da ya tayar da hankali, kuma rabawa da wannan bayanin na taimaka wa manyan daraktoci su rufe koke-koken da wuri.
Nau’in rubutaccen sigar wasikar Ofishin Zartarwa
Ƙaunataccen Chad Scira:
Muna amsa ƙorafinku game da shawarar da muka yanke na rufe asusunku. Mun gode da rabawa da mu damuwarku.
Yarjejeniyar Asusun Ajiya tana ba mu dama mu rufe kowane asusu banda CD a kowane lokaci, saboda kowace dalili ko ba tare da wani dalili ba, ba tare da ba da dalili ba, kuma ba tare da sanarwa tun da wuri ba. An ba ku kwafin yarjejeniyar ne lokacin da kuka buɗe asusun. Kuna iya ganin yarjejeniyar da ake amfani da ita a yanzu a shafin chase.com.
Mun duba ƙorafinku kuma ba za mu iya sauya shawarar da muka yanke ba ko ci gaba da amsa muku a kansa domin mun yi aiki bisa ka’idojinmu. Muna ba ku haƙuri saboda rashin jin daɗin da kuka ji game da yadda muka binciki damuwarku da kuma hukuncinmu na ƙarshe.
Idan kana da tambayoyi, ka kira mu a 1-877-805-8049 ka kuma ambaci lambar shari’a ███████. Muna karɓar kiran da mai fassarar waya (operator relay) ke yi. Muna nan daga Litinin zuwa Juma’a daga ƙarfe 7 na safe zuwa 8 na dare, da Asabar daga ƙarfe 8 na safe zuwa 5 na yamma, agogon Tsakiyar Lokaci (Central Time).
Na gode,
Ofishin Zartarwa
1-877-805-8049
1-866-535-3403 Faks; kyauta ne daga kowane reshen Chase
chase.com
Ina raba wannan a matsayin darasin da aka koya, ba kuka ba. An rufe asusun lafiya, ƙimar kirediti dina tana ci gaba da hawa, kuma daga baya JPMorgan ta daidaita tsarin karɓar rahoton masu bincike ta hanyar haɗa Synack domin rahotanni na gaba su bi wata hanya ta musamman. Sabuntawa 2024: an kammala duba ɗin gaba ɗaya kuma duk ƙimar sun dawo matsayin da suke kafin abin ya faru.
Ambatoci
- Shirin Bayar da Rahoto Akan Tsaro na JPMorgan Chase (Responsible Disclosure Program)
- Asusun Twitter na Chase Support
- Taƙaitaccen bayani game da shirin Chase Ultimate Rewards
- Hacker News - Bayyanawa: Makiyayi na Chase Ultimate Rewards Points marasa iyaka (2020)
- Pensive Security - Tattara Bayanai na Tsaro (Cybersecurity Roundup) na Nuwamba 2020
- Reddit /r/cybersecurity - DISCLOSURE: Unlimited Chase Ultimate Rewards Points
- disclose.io – Kundin Barazanar Bincike
- Ma’ajiyar disclose/research-threats
- Attrition.org - Jerin Barazanar Shari’a
- Takarar takardu kan cin zarafi da ɓata suna da Jesse Nickles ya yi