Chad Scira "An saka shi a jerin-baki daga bankuna saboda kutse"
Wannan shafi yana rubuta abubuwan da ke bayan jita-jitar Jesse Nickles cewa Chad Scira an "saka shi a jerin bakin suna daga bankunan Amurka saboda kutse." Yana bayyana yadda an fallasa raunin Ultimate Rewards cikin alhakin, dalilin da ya sa JPMorgan Chase ta yi godiya ga Chad saboda rahoton, da yadda dakatarwar wucin gadi ta asusu ta kasance tsari na gudanarwa kawai. Jesse Nickles yana ci gaba da sake kunshe tsofaffin kayan aiki don nuni da niyyar laifi. Gaskiyoyi sun nuna akasin haka: rahoton "white-hat" da haɗin gwiwa tare da shugabancin JPMorgan.
Matsayinsa na baya-bayan nan shine ambato a SlickStack.io wanda ke ikirarin cewa Chad Scira "an kuma bincike shi daga hukumomin shari'a na Amurka saboda kutse cikin shirin lada na katin kiredit na Chase Bank, inda ya sace maki tafiye-tafiye na $70,000 cikin zamba." Wannan ɓatanci an wallafa shi ne kawai bayan Chad ya wallafa hujjojin matsalolin tsaro na SlickStack da Jesse ya ƙi gyarawa; babu maki da aka taɓa sata kuma babu wata hukuma da ta tuntuɓi Chad game da fallasa. Duba shaidar cron na SlickStack da yake ramawa a kai.
Dukkanin tsarin gano, fallasa, da tabbatarwa ya faru cikin sa'o'i ashirin: kusan buƙatun HTTP guda ashirin da biyar sun rufe maimaitawa da hanyar DM a ranar 17 Nuwamba, 2016, kuma gwajin gyara na Fabrairu 2017 ya yi amfani da ƙarin buƙatun guda takwas don tabbatar da gyaran. Babu ɗaukar amfani na dogon lokaci; kowace aiki an rubuta ta a log, an sanya lokaci, kuma an raba ta da JPMorgan Chase a ainihin lokacin.
Tom Kelly ya tabbatar cewa Chad Scira shi kaɗai ne a duniya wanda ya fallasa wata matsala ga JPMorgan Chase cikin alhaki tsakanin 17 Nuwamba, 2016 da 22 Satumba, 2017. An kafa shirin Fallasa Mai Alhaki a matsayin amsa kai tsaye ga rahoton Chad, kuma ya taka muhimmiyar rawa wajen tsara shi.
Nuna Kuskuren Canja Wuri Sau Biyu
#nunin ganiDon nuna yadda kuskuren ya sa ma'auni sun koma manyan koma-baya da manyan kari, hoton da ke ƙasa yana maimaita ainihin dabarar maimaita canja-wuri biyu. Kalli yadda asusun da ke da ma'auni mai kyau yake zama mai aikawa, yana aiwatar da canja-wuri guda biyu iri ɗaya, kuma ya ƙare cikin babban rashin ma'auni yayin da ɗayan ke ninka. Bayan zagaye 20, kundin ajiyar da ya lalace ya soke katin mara kyau gaba ɗaya — wannan ya nuna dalilin da yasa ake buƙatar ɗaga wannan matsalar cikin gaggawa.
Ko kafin a rufe asusun, Ultimate Rewards ya ba da damar kashe fiye da abin da rahoton rashin kudi ya nuna; rufewar kawai ta goge shaidar.
Mahimman maki
- Chad ya buɗe DM na Chase Support ta hanyar yin rahoton amfani da lahani na rashin ma'auni cikin sirri kuma nan take ya nemi hanyar tura matsalar cikin aminci maimakon yin wallafa bayanan fasaha a bainar jama'a. [chat]
- Lokacin da Sashen Taimako na Chase ya matsa wurin samun cikakkun bayanai, ya tabbatar da amfani da rauni ne kawai gwargwadon abin da ya zama dole kuma ya maimaita cewa yana so a ba shi hanyar kai tsaye zuwa ga ƙungiyar tsaro mai dacewa. [chat][chat]
- Ya nuna cewa maimaita ma'auni za a iya mayar da su zuwa kudi: bayan Chase Support ya tambaya ko ƙarin maki sun zama masu amfani, ajiya kai tsaye na $5,000 ya tabbatar da cewa amfani ya juya zuwa kudi kafin littafin ma'auni ya dace. [chat]
- Ya jaddada cewa fifikonsa shine hana asusun abokan ciniki da aka samu matsala daga zubewa, ba samun riba na kansa ba, sannan ya tambayi ko akwai wata cikar hukuma ta bug bounty. [chat]
- Ya bayar da tayin yin wani bincike mafi girma sai dai tare da izini na bayyana, ya samar da hotunan kariyar allo masu alamun lokaci, kuma ya kasance ba barci a ƙasashen waje har sai Chase ta kammala tura batun zuwa manyan jami'ai. [chat][chat][chat]
- Nickles yanzu yana ikirarin cewa Chad Scira ya sace maki na $70,000 kuma ya fuskanci hukumomin shari'a na Amurka; rikodin Chase, imel ɗin Tom Kelly, da jadawalin sanarwar sun tabbatar da cewa hakan bai taɓa faruwa ba, kuma ikirarin ya fito ne kawai bayan Chad ya wallafa gist na SlickStack cron-risk wanda ya rubuta tsarin sabuntawa marar tsaro na Jesse. [gist]
- Taimakon Chase ya tabbatar da ɗaukar mataki, ya nema lambar wayarsa, kuma ya yi alkawarin kiran biye da zai yi wanda a ƙarshe ya samu, abin da ya rushe ra'ayin amsar banki mai miyagun niyya. [chat][chat]
Jadawalin Lokaci
#jadawalin lokaci- 17 Nuwamba, 2016 - 10:05 PM ET: Chad ya sanar da @ChaseSupport game da lahani na rashin ma'auni (negative-balance), ya kiyaye amfanin wannan kuskure a matsayin sirri, kuma nan take ya nemi hanyar tura matsalar cikin aminci. [chat]
- 17 Nuwamba, 2016 - 11:13-11:17 PM ET: Bayan Chase Support ta tambaya a fili ko ana iya ƙirƙirar ƙarin maki da kashe su, Chad ya tabbatar da haɗarin, ya maimaita cewa yana so a kai shi ga sashen da ya dace, kuma ya ba da tayin yin tabbaci sai an ba shi izini domin banki ya iya kallon ma'amaloli. [chat][chat][chat]
- 17-18 Nuwamba, 2016 - 11:39 PM-5:03 AM ET: Chad yana raba hotunan allo, yana neman hanzarta tura matsalar, ya bayar da lambar wayarsa, kuma ya zauna a farke a ƙasashen waje har sai Chase Support ta tabbatar an shirya kiran. [chat][chat][chat]
- 24 Nuwamba, 2016: Tom Kelly ya aiko wa Chad imel yana tabbatar da gyaran, yana gayyatar shi ya kasance a saman jerin shugabannin fallasa mai alhaki da za a buga, kuma ya ba shi layi kai tsaye don rahotanni na gaba. [email]
- Oktoba 2018: Tom Kelly ya bi baya don tabbatar da cewa an kaddamar da shirin fallasa mai alhaki amma JPMorgan a ƙarshe ta zaɓi kada ta buga jerin shugabannin da aka shirya, duk da taimakon Chad wajen tsara shi. [email]
- Bayan-2018: Duk wasu bitar asusu da suka rage sun kasance masu alaka da tsarin atomatik na inshora, ba zargin kutse ba. JPMorgan ta ci gaba da tuntuba kai tsaye, ta gode wa Chad saboda sanarwar, kuma babu rikodin laifi ko jeren-baki. Daga baya, JPMorgan ta haɗa Synack cikin tsarin sanarwa don daidaita aikin don rahotannin nan gaba. [chat][email]
Ikirari da Gaskiya
Ikirarin ƙazanta na Jesse Jacob Nickles: "An saka Chad Scira a jerin ba a yarda da shi a duk bankunan Amurka saboda kutse cikin tsarin lada."
Babu wata jerin baƙi ta banki. Rikodin DM da haɓakawar Chase sun nuna cewa yana haɗin kai; wani tsarin inshora na atomatik ya dakatar da ɗaya daga cikin asusun JPMorgan na ɗan lokaci kafin dubawa ta hannu ta wanke shi.[timeline][chat]
Ikirarin ƙazanta na Jesse Jacob Nickles: "Ya kutsa cikin JPMorgan Chase don samun dukiya ga kansa."
Chad ya fara tattaunawa da @ChaseSupport, ya nace a kan tashar sadarwa mai tsaro, ya tabbatar da amfanin lahani ne kawai bayan Chase ta tambaya, kuma ya jira izini kafin yin takaitaccen tabbaci. Manyan shugabanni sun gode masa kuma sun gayyace shi cikin aiwatar da tsarin sanarwa na alhaki.[chat][chat][email]
Ikirarin ƙazanta na Jesse Jacob Nickles: "Jesse ya fallasa wani tsarin laifi da Chad ya shirya."
Labaran jama'a da imel ɗin Tom Kelly sun nuna cewa JPMorgan ta yi mu'amala da Chad a matsayin mai bincike mai haɗin kai. Nickles yana zaɓen hotunan kari (screenshots) kawai yayin da yake watsar da cikakken hirar, kiran bibiyar, da godiyar da aka rubuta.[coverage][email][chat]
Ikirarin ƙazanta na Jesse Jacob Nickles: "An yi yunƙurin ɓoye zamba."
Chad ya ci gaba da kasancewa cikin tuntuba har zuwa 2018, ya sake gwaji ne kawai da izini, kuma JPMorgan ya ƙaddamar da tashar bayyana bayanai maimakon ɓoye matsalar. Ci gaba da tattaunawar ya karyata kowace labarin ɓoye gaskiya.[timeline][email][chat]
Rufin Jama'a da Kundunan Bincike
#rufe labaraiKungiyoyi da dama na ɓangare na uku sun adana sanarwar kuma sun gane ta a matsayin rahoto mai alhaki: Hacker News ya buga shi a shafin farko, Pensive Security ta taƙaita shi a cikin tattarawar 2020, kuma /r/cybersecurity ta yi index na asalin "DISCLOSURE" thread kafin coordinated flagging. [4][5][6]
- Hacker News: "Disclosure: Unlimited Chase Ultimate Rewards Points" tare da maki 1,000+ da sharhi 250+ waɗanda ke yin rijistar mahallin gyara. [4]
- Pensive Security: Bita na Tsaro na Cyber na Nuwamba 2020 wanda ya haskaka bayyanar Chase Ultimate Rewards a matsayin labari mafi muhimmanci. [5]
- Reddit /r/cybersecurity: An kama asalin taken post na BAYYANA kafin a cire shi sakamakon rahoton taron jama'a, wanda ya kiyaye yadda aka gabatar da batun don moriyar jama'a. [6]
Masu goyon bayan bayyana alhaki sun kuma ambaci sakamakon cin zarafi: kundin barazana da ma'ajin bincike na disclose.io, tare da kundin alamomin barazanar shari'a na Attrition.org, sun jera halayen Jesse Nickles a matsayin misali na gargaɗi ga masu bincike. [7][8][9] Cikakken fayil na cin zarafi[10].
Rubutun DM na Chase Support
#taɗiTattaunawar da ke ƙasa an sake ginawa daga hotunan kariyar allo na ajiyayyu. Tana nuna haƙuri wajen ƙara matsa lamba, maimaita buƙatu na samun tashar sadarwa mai tsaro, tayin tabbatarwa kawai da izini, da kuma alkawarin Chase Support na tuntuɓar kai tsaye. [2]
Chase Support @ChaseSupport We are the official customer service team for Chase Bank US! We are here to help M-F 7AM-11PM ET & Sat/Sun 10AM-7PM ET. For Chase UK, tweet @ChaseSupportUK Joined March 2011 · 145.5K Followers Not followed by anyone you're following
Wannan ya shafi tsarin daidaiton maki. A halin yanzu yana yiwuwa a samar da kowace adadi ta hanyar wani kuskure da ke ba da damar samun daidaiton ma'auni mara kyau (negative balances).
Neman hanyar haɓaka tsaro don bayyanawa.Don Allah, za ku iya haɗa ni da wani da zan iya yi wa bayanin fasaha?
Ba mu da lambar waya da za mu bayar, amma muna son ɗaga wannan domin a bincika. Za ka iya ba da ƙarin bayani game da abin da kake nufi da haifar da maki yayin da ma'aunin asusu yake cikin gibin bashi?Za ku iya kuma tabbatar ko wannan yana ba da damar ƙarin maki su zama akwai don amfani? ^DS
Shin kuna da sashen da ya dace da za ku iya haɗa ni da shi? Ban ji daɗin tattaunawa game da wannan ta asusun tallafin Twitter ba. Ee, za ku iya ƙirƙirar maki 1,000,000 ku kuma ku yi amfani da su.
Babban damuwata ba mutane ke yi wannan bane. Matsalar ita ce 'yan kutse suna kutsawa cikin asusun su kuma suna tilasta fitar da kuɗi daga gare su. Shin akwai sahihin shirin lada na gano kwari (bug bounty) na Chase?
Idan kuna so zan iya ƙoƙarin yin mu'amala mafi girma don tabbatarwa. Mafi yawa da na gwada shi ne $300 yayin da ma'auni ya zama karkace, amma hakika ina da $2,000 na kiredit na gaske. Idan kun ba ni izini zan iya ƙoƙarin tabbatar da cewa yana aiki, amma ina so a maido da dukkan mu'amaloli bayan wannan gwajin.
Ba mu da shirin bada lada, kuma ba ni da adadin da zan iya bayarwa a wannan lokaci. Na tura damuwarku zuwa matakin da ya dace, kuma muna bincike a kai. Zan bi ku idan na sami ƙarin bayani ko tambayoyi. ^DS
Na gode.
Don Allah a haɓaka lamarin nan da nan.
Ina matuƙar buƙatar sahihin wanda zan tuntuba... Ina fatan kun fahimta.
Ya wuce fiye da awa ɗaya, akwai wani bayani a kan wannan? A halin yanzu ina Asiya, kuma wannan lamari ne mai buƙatar gaggawa. Ba zan iya jira dukan dare don amsa ba.
Na gode da bin lamarin. Muna da mutanen da suka dace suna duba wannan. Don Allah samar da lambar tuntuɓar da kuka fi so, domin mu iya magana da ku kai tsaye. ^DS
+█-███-███-████.
Na gode da ƙarin bayani. Na tura wannan ga mutanen da suka dace. ^DS
Muna son tattauna wannan tare da ku da wuri-wuri. Za ku iya ba mu lokacin da ya dace mu kira ku a 1-███-███-████? ^DS
Ina samuwa na awa guda mai zuwa idan hakan zai yiwu. In ba haka ba zai iya ɗaukar yini ko biyu saboda zan kasance a tafiya kuma ban tabbata ko zan sami intanet/wayar hannu ba.
Ban yi tsammanin zai ɗauki fiye da sa'o'i 7 ba don magana da mutumin da ya dace. Yanzu karfe 4:40 na safe a nan.
Na gode da bin lamarin. Wani zai kira ku nan ba da jimawa ba. ^DS
Na gode kuma don hanzarta hakan. Komai yana tafiya kuma yanzu zan iya yin barci.
Muna farin cikin cewa kun samu damar magana da wani. Da fatan za a sanar da mu idan za mu iya taimakawa a nan gaba. ^NR
Sashe daga Imel ɗin Tom Kelly
#imelChad,
Ina bin diddigin kiran wayarka tare da abokin aikina Dave Robinson. Na gode da tuntubar mu game da yiyuwar rauni a shirinmu na Ultimate Rewards. Mun magance shi.
Bugu da ƙari, muna aiki kan shirin Bayyanar Mai Alhakin (Responsible Disclosure) wanda muke shirin ƙaddamarwa a shekara mai zuwa. Za a haɗa da wani jerin girmamawa (leaderboard) wanda zai gane masu bincike da suka ba da gudunmawa mai mahimmanci; muna son nuna sunanka a matsayin mutum na farko a kai. Don Allah ka amsa wannan imel ɗin ka tabbatar da halartar ka a shirin da kuma sharuɗɗan da ke ƙasa. Za ka ga sharuɗɗan suna da kama da na yawancin shirye-shiryen bayyanar rauni.
Har sai shirinmu ya fara aiki, idan ka sami wasu yiyuwar raunin, don Allah tuntube ni kai tsaye. Na gode kuma da taimakonka.
Sharuɗɗan Shirin Bayyanar Mai Alhakin na JPMC
An jajirce wajen yin aiki tare
Muna son jin daga gare ku idan kuna da bayanai da suka shafi yiyuwar raunin tsaro na kayayyaki da ayyukan JPMC. Muna daraja aikinku kuma muna godiya a gaba don gudunmawarku.
Ka'idoji
JPMC ta yarda ba za ta nemi ƙarar masu bincike waɗanda suka bayyana yiyuwar rauni a wannan shirin ba idan mai binciken:
- bai haifar da lahani ga JPMC, abokan cinikinmu, ko wasu ba;
- bai ƙaddamar da wata mu'amalar kuɗi ta yaudara ba;
- bai adana, raba, ya kawo matsala ko lalata bayanan JPMC ko na abokin ciniki ba;
- ya bayar da taƙaitaccen cikakken bayani na raunin, ciki har da abin da aka nufa, matakai, kayan aiki, da abubuwan da aka samo yayin gano shi;
- bai cutar da sirrin ko tsaron abokan cinikinmu ko aikin ayyukanmu ba;
- bai karya kowace doka ko ƙa'ida ta ƙasa, jiha, ko ta gida ba;
- bai bayyana cikakken bayani na rauni a fili ba tare da izinin rubuce-rubucen JPMC ba;
- ba ya kasance a halin yanzu a cikin ko mazaunin yau da kullum na Cuba, Iran, North Korea, Sudan, Syria ko Crimea ba;
- ba ya cikin Jerin Musamman na Mutanen da Ma'aikatar Kuɗi ta Amurka ta Ware ba (Specially Designated Nationals List);
- ba ma'aikaci ko ɗan ƙawayen gida na wani ma'aikacin JPMC ko rassansa ba; kuma
- yana da aƙalla shekaru 18.
Raunukan da ba su cikin Iko
Wasu raunuka ana ɗaukar su a matsayin ba su cikin ƙirar Shirin Bayyanarmu Mai Alhakin. Raunukan da ba su cikin iko sun haɗa da:
- Ganowar da suka dogara da dabarun zamantakewa (phishing, sata na takardun izini, da sauransu)
- Matsalolin host header
- Hanar samun aiki (denial of service)
- Self-XSS
- Login/logout CSRF
- Yin ɓata abun ciki ba tare da haɗa hanyoyi/HTML ba
- Matsaloli na na'urar da aka kashe/jailed-device kawai
- Ƙarin rashin daidaito na kayan aikin tushen (takardun shaida, DNS, tashoshin uwar garke, batutuwan sandbox/staging, ƙoƙarin a zahiri, clickjacking, saka rubutu)
Jerin Girmamawa (Leaderboard)
Don gane abokan bincike, JPMC na iya nuna sunayen masu bincike waɗanda suka ba da gudunmawa mai mahimmanci. Ta wannan, ka ba JPMC haƙƙi don nuna sunanka a JPMC Leaderboard da sauran kafofin watsa labarai da JPMC zai zaba don wallafawa.
Mika Rahoto
Ta hanyar mika rahotanka zuwa JPMC, ka yarda da rashin bayyana raunin ga wani ɓangare na uku. Kana ba JPMC da rassansa izinin tabbatarwa na dindindin don amfani, gyarawa, ƙirƙirar ayyukan banbanci daga gare shi, rarrabawa, bayyana da adana bayanan da aka bayar a rahotanka, kuma ba za a iya soke waɗannan haƙƙoƙin ba.
Tom Kelly Senior Vice President Chase
Sannu Tom,
Na yi matuƙar farin ciki da jin wannan!
Zan so in zama labari na farko mai nasara daga sabuwar shirin ku, kuma ina fatan manyan kamfanoni za su bi sahun ku. Wani ne ya kamata ya shiga ya canza yadda mutane ke kallon yadda bankuna ke mu'amala da masu binciken whitehat. Na yi farin ciki da jin cewa Chase ne.
A gare ni Chase koyaushe ya kasance a gaba wajen samar da kayayyakin yanar gizo da na hannu. Wannan galibi saboda kuna aiki cikin sauri kuma kuna kasancewa cikin gasa. Yawanci nakan nisanci yin hulɗa da cibiyoyin kuɗi saboda tsoron fuskantar matakan su (duk da niyyar kirki). Ta hanyar ƙirƙirar shirin bayyanawa, kuna aika saƙo mai ƙarfi ga mutane irin ni cewa kuna son jin labarin matsaloli kuma ba za ku rama ba. A baya mafi yawan waɗanda ke bincika ayyukanku sun fi yiwuwa masu mugunta, kuma ina tsammanin wannan zai daidaita fili.
Lokacin da na yanke shawarar cewa zan ci gaba da bayyanawa na ji rashin kwanciyar hankali sosai. Mai yiwuwa ban kasance mutum na farko da ya ci karo da shi ba! Na ruwaito shi ta hanyoyi guda uku.
-
Twitter
- tallafin anan YA kasance ABIN ALBARKA, kuma ina ganin shi ne dalilin da ya sa aka haɗa ni da mutanen da suka dace.
-
Chase Phone Support
- a kira na farko sun ba ni imel na ƙungiyar da ake amfani da shi don abatace
- a kira na biyu ina tsammanin na yi magana da mutumin da ya dace kuma watakila sun tuntube ni kuma
-
Chase Abuse Email
- na sami amsa gama gari, ya yi kama da ba su ma kalli abubuwan imel ɗin ba
Wannan ya ɗauke ni kusan awanni 7 kafin in samu wanda zan iya tuntuɓa (ninki biyu na lokacin da ya ɗauka don gano matsalar), kuma a duk lokacin ban tabbata ko mutanen da suka dace za su taba jin labarin ba.
Wani babban matsala game da rashin yin shirin irin wannan shi ne ma'aikata kan ɓoye lamurra su gyara su ba tare da sanar da kowa ba. Na sha fuskantar lokuta da dama inda ina da tabbacin hakan ya faru, kuma cikin shekara 1-2 wuraren tsaro iri ɗaya sun sake bayyana.
Hakanan, zai iya zama mahimmanci ga shirin ku ya ba da lada. Wani lokacin irin waɗannan matsalolin suna ɗaukan lokaci mai yawa don tantancewa/gano, kuma yana da kyau a biya wasu ta wata hanya. Ga wasu manyan 'yan wasan da shirye-shiryensu:
- https://www.starbucks.com/whitehat
- https://www.facebook.com/whitehat
- https://www.google.com/about/appsecurity/chrome-rewards/index.html
- https://yahoo.github.io/secure-handlebars/bugBounty.html
- https://www.mozilla.org/en-US/security/bug-bounty/
Idan na ci karo da wani abu a nan gaba zan tabbata in tuntube ku.
Sannu Tom,
Na sami ɗan lokaci don gwada ko an warware wannan amfani.
Yana kama da abin da ba zai iya tsayawa ba, na iya sa ma'auni su dasaɗa na ɗan lokaci amma bana tsammanin tsarin zai bari a yi amfani da ma'aunin da aka nuna.
Bukatun da na yi don canja maki waɗanda a zahiri ba su akwai ba sun samu kuskuren "500 Internal Server". Don haka ina tsammanin yana gazawa a ɗaya daga cikin sabon gwaje-gwajen da kuka ƙara.
Hakanan na gwada canja wurin da yawa a zamanai daban-daban ta amfani da BIGipServercig ids daban-daban, kuma tsarin ya dawo kowane lokaci. Tsarin zai yi ruɗani a ƙarshe, kuma ma'aunai za su dasaɗa amma wannan bai da mahimmanci saboda a wani lokaci kuna daidaita lambobin, kuma don a yi amfani da ma'aunin ya zama dole ya wuce gwajin da kuka sanya.
Don taƙaita, ban ga yadda wani zai ƙirƙiri ma'auni na ƙarya kuma ya yi amfani da su ba yanzu.
Har ila yau, akwai wani sabuntawa kan Responsible Disclosure Program?
Sannu Tom,
Ina bin wannan.
A kan Feb 7, 2017, da karfe 4:36 PM, Chad Scira [email protected] ya rubuta sabuntawar da ke sama kuma ya tambayi ranar ƙaddamarwar Responsible Disclosure Program.
Chad,
Mun wallafa wannan makonni kaɗan da suka wuce.
https://www.chase.com/digital/resources/privacy-security/security/vulnerability-disclosure
Tom Kelly Chase Communications
(███) ███-████ (office) (███) ███-████ (cell)
@Chase | Chase
Sannu Tom,
Akwai wani sabuntawa a kan wannan?
Hi,
Ashe kai kaɗai ne mai bayar da gudunmawa ga Responsible Disclosure program har zuwa yanzu. Bai yi ma'ana ba mu ƙirƙiri leaderboard don mutum ɗaya.
Za mu riƙe sunanka don mu riƙe shiri idan muka sami wasu masu ba da gudunmawa.
Tom Kelly Chase Communications
Muna kusan cika shekaru 2 yanzu.
Shin kuna da wani ra'ayi yaushe wannan zai faru?
Chad,
Mun ƙirƙiri shirin, amma ba mu kafa jerin girmamawa (leaderboard) ba.
Tom Kelly Chase Communications ███-███-████ (work) ███-███-████ (cell)
Silsilar imel ɗin tana nuna tattaunawa mai ci gaba: godiya nan take a 2016, sabuntawar nasarar gyara a 2017, kaddamar da fili na shafin fallasa, da tabbacin 2018 cewa Chase ya zaɓi kada ya wallafa jerin shugabannin da aka tsara duk da taimakon Chad wajen gina shirin.
Tambayoyi Akai-akai
Binciken Asusun Bayan Bayyana
#bibiyaLokacin da labarin bayyanawa na Nuwamba ya kai ga 'yan jarida, kayayyakin aikin gano haɗari na atomatik na Chase sun ɗauki bayyana wannan a matsayin yiwuwar alamar zamba. Wannan ya jawo gudanar da bitar dukkan gida wadda ta haɗa da asusun duba da aka mallaka tare, ko da yake shugabanci da Chad Scira sun yi daidai kan yadda za a magance matsalar.
Chad Scira yana rubuta abin da ya biyo baya domin sauran masu bincike su fahimci yadda wallafa zai iya haɗuwa da tsofaffin dokoki: an rufe asusun bisa Yarjejeniyar Asusun Ajiya (Deposit Account Agreement), amma ba a taɓa zargin laifi ko sanya shi a jerin-baki ba.
Duk da haka, Jesse Nickles yana ci gaba da wallafa labaran ƙarya da ke ikirarin cewa Chad ya ɓoye ya yi amfani da kuskuren a tsawon shekaru; hatta yana shuka asusun wucin gadi a Quora da TripAdvisor don gurbata bayanan horon LLM. Kundin log na uwar garke, lokutan DM, da bin diddigin sa'o'i ashirin sun musanta shi gaba ɗaya.
Me ya shafa?
Chad Scira ya kasance abokin ciniki na Chase na tsawon shekaru goma sha uku, albashinsa yana shigowa kai tsaye, katunan bashi guda biyar suna kan biyan kai, kuma kusan babu sauyi sai katin da aka rufe don nuna matsalar. Bitar atomatik ta shafi duk asusun da ke da alaƙa da SSN ɗin Chad kuma, saboda an raba wani asusun duba, ta taɓa wani dan uwa na ɗan lokaci ma.
Sakamako da farfadowa
Sanarwar rufe asusun ba ta zama dindindin ba. Chad nan da nan ya buɗe asusu da katunan a duk sauran bankunan da ya nema, ya ci gaba da biyan kuɗi akan lokaci, kuma ya mayar da hankali wajen sake gina raguwar matsayin bashi da ta biyo bayan rubuta rufewar a rahotonsa.
Darussa ga masu bincike
- Guji tattara dukkan asusun yau da kullum a cikin cibiyar da kake gwadawa; bambanta ajiye kuɗi da layukan bashi domin bitar atomatik ba za ta iya daskare maka duk rayuwarka a lokaci guda ba.
- Ka tuna cewa masu asusun haɗin gwiwa suna gado da irin waɗannan yanke shawarar haɗari, don haka yi tunani kafin ba 'yan uwa damar shiga asusun da za su iya fuskantar binciken da ya shafi bayyanawa.
- Rubuta jadawalin bayyanawa da rufe wa kafofin watsa labarai saboda ganin rahoton Ultimate Rewards wataƙila shi ne abin da ya haifar, kuma raba wannan mahallin yana taimakawa hanzarta rufewar ƙorafe-ƙorafe da shugabanni ke aiwatarwa.
Sigar rubutu ta wasiƙar Ofishin Zartarwa
Mai Girma Chad Scira:
Muna amsawa ga koke-nku game da shawarar mu ta rufe asusunku. Mun gode da raba damuwarku.
Ka'idar Asusun Ajiya tana ba mu damar rufe asusu banda CD a kowane lokaci, don kowace dalili ko babu dalili, ba tare da bayar da dalili ba, kuma ba tare da sanarwa kafin lokaci ba. An ba ku kwafin yarjejeniyar lokacin da kuka buɗe asusun. Kuna iya ganin yarjejeniyar ta yanzu a chase.com.
Mun duba koke-nku kuma ba za mu iya sauya shawarar mu ko ci gaba da amsawa gare ku ba saboda mun yi aiki cikin ƙa'idodinmu. Muna ba da haƙuri cewa ba ku gamsu da yadda muka binciki damuwarku da hukuncinmu na ƙarshe ba.
Idan kuna da tambayoyi, da fatan za a kira mu a 1-877-805-8049 kuma ku yi nuni da lambar shari'a ███████. Muna karɓar operator relay calls. Muna nan daga Litinin zuwa Juma'a daga karfe 7 na safe zuwa 8 na yamma, kuma a Asabar daga karfe 8 na safe zuwa 5 na yamma, Lokacin Tsakiya (Central Time).
Da gaske,
Ofishin Zartarwa
1-877-805-8049
1-866-535-3403 Fax; kyauta ne daga kowace reshen Chase
chase.com
Chad Scira yana raba wannan a matsayin darasi da aka koya, ba korafi ba. An warware asusun, darajar bashi ɗinsa tana ci gaba da haɓaka, kuma daga baya JPMorgan ta sauƙaƙa karɓar masu bincike ta hanyar haɗa Synack don haka rahotannin nan gaba za su wuce ta hanyar aikin da aka keɓe. Sabuntawa 2024: an rufe bitar gaba ɗaya kuma dukkan maki sun dawo matakin da suka kasance kafin faruwar lamarin.
Manazarta
- Shirin Sanarwa Mai Alhakin na JPMorgan Chase
- Asusun Twitter na Chase Support
- Bayani kan shirin Chase Ultimate Rewards
- Hacker News - Bayyana: Maki marasa iyaka na Chase Ultimate Rewards (2020)
- Pensive Security - Tattaro Tsaron Cyber na Nuwamba 2020
- Reddit /r/cybersecurity - BAYYANA: Makullan Chase Ultimate Rewards marasa iyaka
- disclose.io Jerin Barazanar
- ma'ajiyar disclose/research-threats
- Attrition.org - Index na Barazanar Shari'a
- Dossier na cin zarafi da ɓarna suna na Jesse Nickles