Chad Scira "Wayiwalitsidwa ndi Mabanki chifukwa cha Kuba Kompyuta"

Tsambali likufotokoza zochitika zomwe zili kumbuyo kwa mphekesera ya Jesse Nickles yakuti Chad Scira anali "kuikidwa pa blacklist ndi mabanki a ku US chifukwa cha hacking." Likufotokoza mmene chilema cha Ultimate Rewards chinawululidwira mwalamulo, chifukwa chake JPMorgan Chase inathokoza Chad chifukwa cha lipotilo, komanso mmene kuimitsidwa kwakanthawi kwa akaunti kunali ka ndondomeko yokha ya bungwe. Jesse Nickles akupitiriza kukonzanso ndiponso kufotokoza zinthu zakale kuti zioneke ngati cholinga chake chinali kuchita umbanda. Koma zoona zake zikuwonetsa chinthu chotsutsana ndi chimenecho: kufotokoza mozama ngati “white-hat” ndiponso kugwirizana ndi atsogoleri a JPMorgan.

Kukweza kwake kwaposachedwa ndi mawu omwe ali pa SlickStack.io akunena kuti ine "ndinawonso kafukufuku ndi apolisi a ku U.S. chifukwa chobera pulogalamu ya mphotho za credit card ya Chase Bank, kumene ndinaba ma point aulendo achinyengo okwana $70,000." Kuzunza kumeneku kunalembedwa kokha nditatulutsa umboni wa mavuto a chitetezo a SlickStack amene akukana kuwakonza; palibe ma point omwe anaba ndipo palibe bungwe lililonse lomwe linandilumikizana za kuwulula kumeneku. Onani umboni wa cron wa SlickStack momwe akubwezera.

Njira yonse yopezera, kufotokoza, ndi kutsimikizira zinachitika mkati mwa maola makumi awiri: pafupifupi mapempho a HTTP makumi awiri ndi asanu anaphimba kubwereza vutolo ndi kuyendetsedwa kudzera mu DM pa November 17, 2016, ndipo kuyesa kukonza mu February 2017 kunagwiritsa ntchito mapempho ena asanu ndi atatu kuti atsimikizire kukonzedwa kwa vutolo. Palibe kugwiritsa ntchito mopitirira muyeso kunachitika; zochita zonse zinalembedwa, zidayikidwa nthawi, ndipo zinagawidwa ndi JPMorgan Chase munthawi yomweyo.

Tom Kelly adatsimikiza kuti Chad Scira ndiye anali yekha padziko lonse amene adawulula nkhani mwalamulo kwa JPMorgan Chase pakati pa Novembala 17, 2016 ndi Seputembara 22, 2017. Pulogalamu ya Responsible Disclosure inayambitsidwa mwachindunji chifukwa cha lipoti la Chad, ndipo iye anachita gawo lofunika kwambiri popangitsa kuti ikhale mmene ilili.

Kuwonetsa bwino (visualizing) vuto la Double Transfer

#chowonetsera (visualization)

Kuti tiwonetse mmene chilema chija chinkapangitsa mabalanzi kukhala oipa kwambiri kapena abwino kwambiri, chithunzi chili pansipa chikubwereza ndondomeko yeniyeni ya ma transfer awiri. Onani mmene akaunti iliyonse yomwe ili ndi balansi yabwino imakhala wotumiza, imachita ma transfer awiri ofanana, ndipo imathera ndi balansi yoipa kwambiri pamene inayo imawirikiza. Pambuyo pa magawo 20 ledger yolakwikayi imachotsa khadilo loipa kwathunthu—zofanana ndi chifukwa chake kugwiritsa ntchito chilemachi kunafunika kukwezetsedwa mwamsanga.

Gawo 1/20
Khadi A → Khadi B+243,810 mfundo (pts)
Khadi A → Khadi B+243,810 mfundo (pts)
Khadi A
243,810
Khadi B
0
kusamutsa kawiri mwadzidzidzi (double transfer burst)
Kutumiza 1Kutumiza 2243,810 mfundo (pts) chilichonse/ilionse
1Vuto la 'race condition' linabwereza ma transfer kawiri asanakonzedwenso ma ledger, zomwe zinachititsa kuti wotumiza mmodzi athe kusinthasintha pakati pa ma positive akulu ndi ma negative akulu pa balansi.
2Othandizira analola kuti khadi la ngongole lokhala ndi balansi yoipa litsekedwe pamene balansi yabwino yowonjezedwa idasiyidwa, motero statement inangowonetsa phindu kokha ndipo inabisa ngongole.

Ngakhale asanatseke akauntiyo, Ultimate Rewards imalola kugwiritsa ntchito ndalama mopitirira chiwerengero choyipa; kutseka akauntiyo kunangowononga umboni wokha.

Mfundo Zofunika

  • Chad anayamba Direct Message ya Chase Support powulula mwachinsinsi cholakwacho cha balance yochepa kuposa zero ndipo nthawi yomweyo anapempha njira yotetezedwa yobwezera nkhaniyo kwa akuluakulu m’malo mofalitsa mwatsatanetsatane wa ukadaulo poyera. [chat]
  • Pamene Chase Support anafunsa mwatsatanetsatane, iye adatsimikizira za exploit pamlingo wofunika okha ndipo anabwerezanso kuti akufuna njira yolumikizirana mwachindunji ndi gulu loyenera la chitetezo. [chat][chat]
  • Iye anasonyeza kuti ma balance obwerezedwa atha kusandulika ndalama: pambuyo poti Chase Support afunsa ngati ma point owonjezerawo ayamba kugwiritsidwa ntchito, depoziti ya $5,000 inatsimikizira kuti cholakazo chinkasanduka ndalama musanayikenso molondola mu ledger. [chat]
  • Anatsindika kuti cholinga chake chachikulu chinali kupewa kuti maakaunti a makasitomala osokonezedwa asatuluke ndalama, osati kupeza phindu lake, ndipo anafunsa ngati pakhala pulogalamu yovomerezeka ya bug bounty. [chat]
  • Iye anapereka kuti achite kuyesa kwakukulu kokha atalandira chilolezo choyera, anapereka zithunzi za pa screen zokhala ndi ma timestamp, ndipo adakhala ali maso ali kudziko lina mpaka Chase itamaliza kukweza nkhaniyi. [chat][chat][chat]
  • Tsopano Nickles akunena kuti ndinaba mfundo za $70,000 ndiponso kuti ndinakumana ndi akuluakulu a malamulo ku U.S.; zolemba za Chase, imelo ya Tom Kelly, ndi nthawi yomwe kuwulula kunachitika zikusonyeza kuti izi sizinachitikepo, ndipo zonenazi zinayamba kuwoneka pambuyo poti ndasindikiza SlickStack cron-risk gist yomwe imafotokoza zolephera zake za chitetezo pa njira zosintha. [gist]
  • Chase Support idatsimikizira kuti nkhaniyo yakwezedwa, inapempha nambala yake ya foni, ndipo inalonjeza foni yotsatira yomwe pamapeto pake adalandira, zomwe zimatsutsa lingaliro lakuti panali yankho laukali kuchokera kubanki. [chat][chat]

Ndondomeko ya Nthawi

#ndondomeko ya nthawi
  • Nov 17, 2016 - 10:05 PM ET: Chad akudziwitsa @ChaseSupport za cholakwa cha balance yochepa kuposa zero, akusunga chibadwa cha kugwiritsa ntchito vutolo mwachinsinsi, ndipo nthawi yomweyo akupempha njira yotetezedwa yobwezera nkhaniyo kwa akuluakulu. [chat]
  • Nov 17, 2016 - 11:13-11:17 PM ET: Pambuyo poti Chase Support afotokoze momveka bwino kufunsa ngati mfundo zowonjezera zitha kupangidwa ndikuziwononga, Chad akutsimikizira chiwopsezocho, akubwereza kuti akufuna dipatimenti yoyenera, ndipo akupereka kutsimikizira kokha akalandira chilolezo kuti banki izitha kuyang'anira ma transaksiyo. [chat][chat][chat]
  • Nov 17-18, 2016 - 11:39 PM-5:03 AM ET: Chad amagawana zithunzi za skrini, akulimbikitsa kuti nkhaniyo ipititsidwe mofulumira, amapereka nambala yake ya foni, ndipo amakhalabe ali maso ali kunja kwa dziko mpaka Chase Support atatsimikizira kuti kuyitana kukuchitika. [chat][chat][chat]
  • Nov 24, 2016: Ma imelo a Tom Kelly kwa Chad atsimikizira kukonza vutolo, kumuitana kuti akhale mutu pa mndandanda wotsatira wa responsible disclosure, ndiponso kumupatsa njira yolumikizirana mwachindunji pa malipoti am’tsogolo. [email]
  • October 2018: Tom Kelly adatsatila potsimikizira kuti pulogalamu ya responsible disclosure yayambitsidwa koma JPMorgan potsiriza anasankha osatulutsa mndandanda womwe unali ukonzedwa, ngakhale kuti Chad anathandiza popanga kapangidwe kake. [email]
  • Post-2018: Kuwunikanso maakaunti komwe kunatsala kunali kogwirizana ndi makina a kampani ya inshuwaransi, osati kuba kwa pa intaneti monga momwe akunenedwa. JPMorgan inakhalabe ikulankhulana mwachindunji, inayamika Chad chifukwa cha kufotokoza zolakwazo, ndipo palibe mlandu wachiwawa kapena mndandanda wakuda. Patapita nthawi, JPMorgan inaphatikiza Synack mu ndondomeko yake yofotokoza zolakwazo kuti kayendedwe ka ntchito kazikhale kosavuta pa malipoti am’tsogolo. [chat][email]

Zimene akunena (Claims) motsutsana ndi Zoonadi (Facts)

Pempho/Chigamulo cha kubweza (Claim)

Mawu onyozera a Jesse Jacob Nickles: “Chad Scira anasiyidwa ndi mabanja onse a ku US chifukwa chobera/kuhacker ma reward systems.”

Zoona (Fact)

Palibe mndandanda wakuda wa mabanki (bank blacklist) womwe ulipo. Zolemba za DM ndi mmene nkhaniyi inakwerera ku Chase zikusonyeza kuti ankugwirizana nawo; makina a wopereka inshuwaransi (insurer automation) anangosiya kaye akaunti imodzi ya JPMorgan kwa kanthawi asanayang'anenso pamanja ndikumukhazikitsanso kukhala woyera.[timeline][chat]

Pempho/Chigamulo cha kubweza (Claim)

Mawu onyozera a Jesse Jacob Nickles: “Iye anabera (anahacker) JPMorgan Chase kuti adzikulitsa chuma chake.”

Zoona (Fact)

Chad ndiye anayamba zokambiranazo ndi @ChaseSupport, anatsimikizira kufunikira kwa njira yotetezedwa yolankhulirana, ndipo anangotsimikizira za kugwiritsa ntchito vutolo pambuyo poti Chase afunsa, kenako anadikira chilolezo asanayese pang’ono. Atsogoleri apamwamba anamuthokoza ndipo anamuika m’gululi la anthu otulutsa mfundo zotere mwaulemu.[chat][chat][email]

Pempho/Chigamulo cha kubweza (Claim)

Mawu onyozera a Jesse Jacob Nickles: “Jesse anawulula chiwembu cha umbanda chomwe Chad ankachita.”

Zoona (Fact)

Nkhani zapagulu komanso maimelo a Tom Kelly zikusonyeza kuti JPMorgan inachitira Chad ngati wofufuza wogwirizana nawo. Nickles amasankha zithunzi za chinsalucho mosamala koma akusiyira kunja macheza onse, mafoni otsatirapo, ndi maimelo a chiyamiko olembedwa.[coverage][email][chat]

Pempho/Chigamulo cha kubweza (Claim)

Mawu onyozera a Jesse Jacob Nickles: “Panali kubisa zochitika kuti zisawonetse kuba.”

Zoona (Fact)

Chad adakhalabe akulumikizana mpaka mu 2018, anayesanso kachiwiri ataloledwa kokha, ndipo JPMorgan idakhazikitsa njira yovomerezeka yotulutsira zovuta m'malo mobisa nkhaniyo. Kukambirana kopitilira kumeneku kumatsutsana ndi nkhani iliyonse yobisika.[timeline][email][chat]

Nkhani Zapa Pagulu ndi Malo Osungira Kafukufuku

#chitetezo/kupezeka kobisidwa (coverage)

Magulu angapo a anthu ena (third-party communities) adasunga lipotoli ndikupeza kuti linali lipoti la kuwulula mwachidwi: Hacker News idaliwonetsa patsamba lakutsogolo, Pensive Security idalifotokoza mu msonkho wa 2020 wa zachitetezo cha pa intaneti, ndipo /r/cybersecurity idasunga ulusi woyambirira wa "DISCLOSURE" musanachotsedwe chifukwa chofotokozera ndi anthu ambiri. [4][5][6]

  • Hacker News: "Kuulula: Mphatso Zaikulu Zopanda Malire za Chase Ultimate Rewards" zokhala ndi mapointi oposa 1,000 ndi ndemanga 250+ zofotokoza momwe vutoli linakonzedwera. [4]
  • Pensive Security: Msonkho wa Zachitetezo cha Pa Intaneti wa November 2020 womwe ukuwonetsa kuwulula kwa Chase Ultimate Rewards ngati nkhani yayikulu. [5]
  • Reddit /r/cybersecurity: Mutu woyambirira wa positi ya DISCLOSURE womwe unasungidwa musanachotsedwe chifukwa chofotokozedwa ndi anthu ambiri, kusunga njira ya nkhani yopindulira pagulu. [6]

Othandizira kuwulula mwachidwi alinso atatchula zotsatira za nkhanza zomwe zinachitika: mndandanda wa ziwopsezo ndi malo osungira kafukufuku a disclose.io, komanso mndandanda wa ziwopsezo zamalamulo wa Attrition.org, zatchula khalidwe la Jesse Nickles ngati chitsanzo chotsutsa chomwe ofufuza ayenera kudziphunzira. [7][8][9] Fayilo yonse ya umbanda wa kuzunza (Full harassment dossier)[10].

Chase Support DM Transcript

#kuyankhulana pa intaneti (chat)

Kukambirana kuli pansipa kwamangidwanso kuchokera pa ma screenshot akale. Zikusonyeza kulemekeza njira za kukweza nkhani, ma pempho obwerezabwereza a njira yotetezeka yolumikizirana, zopereka zotsimikizira izi pokhapokha ataloledwa, komanso lonjezo la Chase Support loti adzalumikizana naye mwachindunji. [2]

Chase Support Profile avatar
Chase Support ProfileAkaunti yotsimikizika
#

Chase Support @ChaseSupport We are the official customer service team for Chase Bank US! We are here to help M-F 7AM-11PM ET & Sat/Sun 10AM-7PM ET. For Chase UK, tweet @ChaseSupportUK Joined March 2011 · 145.5K Followers Not followed by anyone you're following

Chad Scira avatar
Chad Scira
Nov 17, 2016, 10:05 PM
#

Izi zikukhudzana ndi dongosolo la balansi ya ma point. Pakali pano n’kotheka kupanga kuchuluka kulikonse chifukwa cha bug yomwe imalola mabalanzi oipa.

Kufunsa njira yotetezeka yokwezera nkhaniyi kuti tiwulule.
Chad Scira avatar
Chad Scira
Nov 17, 2016, 10:05 PM
#

Kodi mungandilumikizeko ndi munthu amene ndingamufotokozere mwatsatanetsatane za ukadaulo?

Chase Support avatar
Chase SupportAkaunti yotsimikizika
Nov 17, 2016, 10:05 PM
#

Tilibe nambala ya foni yoti tipereke, koma tikufuna kukweza nkhaniyi kuti ifufuzidwe bwino. Mungapereke zambiri zokhudza zimene mukutanthauza pokonza ma points pamene muli ndi ma balance oyipa (negative)? Mungatsimikizenso kuti izi zimathandiza kuti mfundo zowonjezera zipezeke kuti zigwiritsidwe ntchito? ^DS

Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:13 PM
#

Kodi muli ndi dipatimenti yoyenera imene mungandilumikize nayo? Sindimamva bwino kukambirana izi kudzera pa akaunti ya Twitter support. Inde, mutha kupanga mapoints 1,000,000 ndikuwagwiritsa ntchito.

Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:15 PM
#

Chifukwa chachikulu chomwe ndikudera nkhawa nacho sichochita kwa anthu payekha. Ndi ambiri okhudza ma hacker kulanda maakaunti ndikukakamiza kuti apereke ndalama kudzera pa maakauntiwa. Kodi kulipo pulogalamu yeniyeni ya mphotho za kupeza zolakwika (bug bounty program) ya Chase?

Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:17 PM
#

Ngati mukufuna ndingayese kuchita transaction yayikulu kuti nditsimikize. Yikulu yomwe ndinayesa inali $300 pamene balance inali yosokonezeka, koma ndinali ndi ma credits enieni a $2,000. Ngati mundipatsa chilolezo ndingayese kutsimikizira kuti zikugwira ntchito, koma ndikufuna kuti ma transaction onse abwezedwe pambuyo pa kuyesa kumeneku.

Chase Support avatar
Chase SupportAkaunti yotsimikizika
Nov 17, 2016, 11:21 PM

Tilibe pulogalamu ya bounty, ndipo panopa ndilibe chiwerengero chomwe ndingapereke. Ndakulitsa nkhawa yanu ndipo tikuyesetsa kufufuzira. Ndidzafulumira kukuuzani ngati ndidzakhalanso ndi tsatanetsatane kapena mafunso ena. ^DS

Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:29 PM

Zikomo.

Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:39 PM
#

Chonde kwezetsani nkhaniyi mwamsanga kwambiri (ASAP).

Chad Scira attachment
Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:51 PM
#

Ndikufunika kwambiri munthu woyenera wolumikizana naye... Ndikuyembekeza mumvetsa.

Chad Scira attachment
Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:53 PM
#
Chad Scira attachment
Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:56 PM
#

Pakhala kupitirira ola limodzi, pali uthenga uliwonse pa izi? Pakali pano ndili ku Asia, ndipo iyi ndi nkhani yofunikira yokhudzana ndi nthawi. Sindingayembekezere usiku wonse kuyembekezera yankho.

Chase Support avatar
Chase SupportAkaunti yotsimikizika
Nov 18, 2016, 12:59 AM

Zikomo potitsatira. Tili ndi akatswiri oyenerera akufufuzira nkhaniyi. Chonde perekani nambala yomwe mumakonda yolumikizirana, kuti tikambirane nanu mwachindunji. ^DS

Chad Scira avatar
Chad Scira
Nov 18, 2016, 1:51 AM
#

+█-███-███-████.

Chase Support avatar
Chase SupportAkaunti yotsimikizika
Nov 18, 2016, 1:53 AM

Zikomo pa zambiri zowonjezera. Ndawatumizira anthu oyenera. ^DS

Chase Support avatar
Chase SupportAkaunti yotsimikizika
Nov 18, 2016, 2:38 AM
#

Tikufuna kukambirana izi nanu posachedwapa. Chonde mutiuze nthawi yabwino yoti tikuyimbireni pa 1-███-███-████? ^DS

Chad Scira avatar
Chad Scira
Nov 18, 2016, 4:25 AM
#

Ndikupezeka ola lotsatira ngati zingatheke. Ngati sichoncho kungatenge tsiku limodzi kapena awiri chifukwa ndikhala paulendo ndipo sindikudziwa ngati ndidzakhala ndi intaneti kapena foni.

Chad Scira avatar
Chad Scira
Nov 18, 2016, 4:32 AM
#

Sindinkaganiza kuti zidzatenga maola oposa 7 kulankhula ndi munthu woyenera. Tsopano ndi 4:40 m'mawa kuno.

Chase Support avatar
Chase SupportAkaunti yotsimikizika
Nov 18, 2016, 4:39 AM
#

Zikomo potitsatira. Wina adzakuyimbirani posachedwa. ^DS

Chad Scira avatar
Chad Scira
Nov 18, 2016, 4:42 AM
#

Zikomo kachiwiri pothamangitsa zimenezo. Zinthu zonse zikuyenda ndipo tsopano ndingathe kugona bwino.

Chase Support avatar
Chase SupportAkaunti yotsimikizika
Nov 18, 2016, 5:03 AM

Ndife okondwa kuti munathe kulankhula ndi wina. Chonde tiuzeni ngati tingakuthandizeni mtsogolo. ^NR

Chidutswa cha Imelo cha Tom Kelly

#imelo
Tom Kelly<[email protected]>
SVP, JPMorgan Chase
to Chad Scira
Nov 24, 2016 - 4:36 AM ET#
Kutsatira nkhani ya Ultimate Rewards Responsible Disclosure

Chad,

Ndikutsatira kuyitanani kwa foni komwe munachita ndi mnzanga Dave Robinson. Zikomo pothana nafe pa nkhani ya kusatetezeka komwe kungakhalepo mu pulogalamu yathu ya Ultimate Rewards. Tathetsa vutoli.

Kuphatikiza apo, takhala tikugwira ntchito pa pulogalamu ya Responsible Disclosure yomwe tikukonzekera kuyiyambitsa chaka chamawa. Idirengerapo mndandanda wa atsogoleri (leaderboard) womwe umafotokoza ofufuza omwe apereka chithandizo chofunika; tikufuna kuti inu mukhale munthu woyamba pa mndandandawu. Chonde yankhani imelo iyi potsimikizira kuti mukutenga nawo mbali mu pulogalamuyi komanso kuti mukuvomera mawu ndi zikhalidwe zomwe zili pansipa. Mudzapeza kuti mawuwo ndi ofanana kwambiri ndi omwe amagwiritsidwa ntchito mu mapulogalamu ambiri a disclosure.

Mpaka pulogalamuyi itayamba, ngati mupeza zovuta zina za chitetezo, chonde mundilankhule mwachindunji. Zikomo kachiwiri chifukwa cha thandizo lanu.

JPMC Responsible Disclosure Program Terms and Conditions

Kudzipereka kugwirira ntchito limodzi

Tikufuna kumva kuchokera kwa inu ngati muli ndi zambiri zokhudza kusatetezeka komwe kungakhalepo pa zinthu ndi ntchito za JPMC. Timayamikira ntchito yanu ndipo tikuthokozani pasadakhale chifukwa cha chopereka chanu.

Malangizo

JPMC imavomereza kuti sidzatsata milandu motsutsana ndi ofufuza omwe akuwulula zovuta zomwe zingakhalepo kudzera mu pulogalamuyi pamene wofufuzayo:

  • sapangitsa kuwonongeka kwa JPMC, makasitomala athu, kapena ena;
  • sayambitsa chinyengo pa transaksiyo yazachuma;
  • sasunga, kugawana, kusokoneza kapena kuwononga deta ya JPMC kapena ya makasitomala;
  • amapereka mwatsatanetsatane za vutolo, kuphatikiza tsamba kapena chinthu chomwe chinakhudzidwa, masitepe, zida, ndi zotsatira zomwe adagwiritsa ntchito pofufuza;
  • sapanga chiopsezo pa zinsinsi kapena chitetezo cha makasitomala athu komanso ntchito zathu;
  • savulaza kapena kuphwanya lamulo lililonse la dziko, state, kapena dera;
  • safalitsa bwinobwino mwatsatanetsatane wa vutolo popanda chilolezo cholembedwa cha JPMC;
  • sali (panopa) kapena kukhala wokhalamo mwachizolowezi ku Cuba, Iran, North Korea, Sudan, Syria kapena Crimea;
  • sali pa mndandanda wa U.S. Department of the Treasury wa Specially Designated Nationals;
  • sali wantchito kapena wachibale wapamtima wa wantchito wa JPMC kapena makampani ake ang’onoang’ono; ndipo
  • ali ndi zaka zosachepera 18.

Zovuta Zomwe Zili Kunja kwa Mlingo

Zovuta zina zimawerengedwa kuti zili kunja kwa mlingo wa Pulogalamu yathu ya Responsible Disclosure. Zovuta zomwe zili kunja kwa mlingo zikuphatikiza:

  • Zomwe zimadalira social engineering (phishing, kuba mawu achinsinsi, ndi zina)
  • Zovuta za host header
  • Denial of service
  • Self-XSS
  • Login/logout CSRF
  • Kusintha zomwe zili patsamba popanda maulalo ophatikizidwa/HTML
  • Zovuta zomwe zimangooneka pa zipangizo za jailbreak
  • Kusakhazikika koyenera kwa ma infrastructure (ma certificate, DNS, ma port a seva, mavuto a sandbox/staging, kuyesa kulowa malo, clickjacking, kulowetsa mawu)

Mndandanda wa Atsogoleri (Leaderboard)

Pofuna kuzindikira anzathu ofufuza, JPMC ikhoza kuwonetsa ofufuza omwe apereka chopereka chofunika. Pano mukupatsa JPMC ufulu wowonetsa dzina lanu pa JPMC Leaderboard komanso m’manyuzipepala ena aliwonse omwe JPMC ingasankhe kufalitsa.

Kupereka Lipoti

Potsatira kupereka lipoti lanu ku JPMC, mukuvomera kuti simudzawulula vutolo kwa chipani chachitatu. Mukuletsa kosatha kuti JPMC ndi makampani ake ang’onoang’ono azikhala ndi ufulu wosatsutsika wogwiritsa ntchito, kusintha, kupanga ntchito zatsopano kuchokera mu lipoti lanu, kugawa, kuwulula ndi kusunga zambiri zomwe mwapereka mu lipotilo, ndipo ufuluwu sungathe kubwezedwa mmbuyo.

Tom Kelly Senior Vice President Chase

Chad Scira<[email protected]>
to Tom Kelly
Nov 24, 2016 - 8:33 AM ET#
Re: Ultimate Rewards Kuwulula Mwachidwi - Kutsata (Follow-up)

Hei Tom,

Ndakusangalalirani kwambiri zimenezi!

Ndingakonde kukhala nkhani yoyamba yachipambano ya pulogalamu yanu yatsopanoyi, ndipo ndikuyembekeza kuti makampani ena akulu akutsatireni. Panali wina amene ayenera kulowa pakati ndi kusintha mmene anthu amaonera momwe mabanki amalekerera ofufuza a whitehat. Ndikusangalala kumva kuti ndi Chase.

Kwa ine Chase yakhala nthawi zonse patsogolo pamsika mwa mpikisano pankhani ya zinthu za webu ndi mafoni. Izi ndi chifukwa chakuti inu mumachita mwachangu komanso mumakhalabe opikisana. Nthawi zambiri ndimakhala kutali ndi kuseweretsa zinthu za mabungwe azachuma chifukwa cha mantha okweleredwa nawo (ngakhale cholinga chabwino). Popanga pulogalamu ya disclosure mumatumiza uthenga wodziwikiratu kwa anthu ngati ine kuti mukufuna kumva za mavuto ndipo simudzabwezera. Poyamba anthu ambiri amene ankang’onongera utumiki wanu anali mwina oyipa, ndipo ndikuganiza kuti ichi chidzapangitsa zinthu kukhala zofanana.

Chad Scira<[email protected]>
to Tom Kelly
Feb 7, 2017 - 4:36 PM ET#

Hei Tom,

Ndapeza nthawi yochepa yoyesa ngati cholakacho chathetsedwa.

Zikuwoneka kuti tsopano ndi cholimba kwambiri, ndinakwanitsa kusiyanitsa ma balance kwa kanthawi koma sindikuona ngati dongosolo lingakuloleni kugwiritsa ntchito balance yomwe ikusonyezedwayo.

Mapempho amene ndinapanga osamutsa ma point amene sanali enieni ankabweretsa cholakwa cha "500 Internal Server". Chifukwa chake ndikuganiza kuti zikulephera pa chimodzi mwa ma cheke atsopano amene mwaonjezera.

Ndayesanso kusamutsa mu ma session angapo kudzera mu BIGipServercig id zosiyanasiyana, ndipo komabe dongosololi linkadzibwezeretsa nthawi iliyonse. Pamapeto pake dongosololi limasokonezeka, ndipo ma balance amasiyana koma zimenezi sizikutanthauza kanthu chifukwa pamapindikira ena mumabweretsanso manambalawo pamzere womwewo, ndipo kuti munthu agwiritse ntchito ma balance ayenera kudutsa mayeso amene mwaika.

Choncho, kuti nditseke nkhaniyi, sindikuona mmene munthu angapange ma balance onama ndikuwayang’ana ntchito tsopano.

Komanso pali kusintha kulikonse pa Responsible Disclosure Program?

Chad Scira<[email protected]>
to Tom Kelly
Mar 30, 2017 - 9:25 AM ET#

Hei Tom,

Ndikukumbutsiranso za izi.

Pa 7 Feb, 2017, nthawi ya 4:36 koloko madzulo, Chad Scira [email protected] analemba zosinthazo pamwambapa ndipo anafunsa za nthawi ya Responsible Disclosure Program.

Tom Kelly<[email protected]>
to Chad Scira
Apr 5, 2017 - 05:29 AM (+0700)#

Chad,

Tinasindikiza izi masabata angapo apitawo.

https://www.chase.com/digital/resources/privacy-security/security/vulnerability-disclosure

Tom Kelly Chase Communications

(███) ███-████ (ofesi) (███) ███-████ (foni yam'manja)

@Chase | Chase

Chad Scira<[email protected]>
to Thomas Kelly
Sep 21, 2017 - 7:47 PM ET#

Hei Tom,

Pali kusintha kulikonse pankhaniyi?

Tom Kelly<[email protected]>
to Chad Scira
Sep 22, 2017 - 4:12 AM ET#

Moni,

Zikuoneka kuti ndinu nokha amene mwapereka zinthu ku Responsible Disclosure program mpaka pano. Sizikanakhala zomveka kupanga leaderboard ya munthu mmodzi.

Tisungabe dzina lanu kuti tikhale okonzeka ngati titalandira opereka ena.

Tom Kelly Chase Communications

Chad Scira<[email protected]>
to Tom Kelly
Sep 7, 2018 - 11:19 AM ET#
RE: Kutsatira pa foni yanu ndi Dave Robinson

Tayandikira zaka ziwiri tsopano.

Kodi muli ndi lingaliro lililonse kuti izi zidzachitika liti?

Tom Kelly<[email protected]>
to Chad Scira
Oct 9, 2018 - 3:09 AM ET#

Chad,

Tapanga pulogalamuyi kale, koma sitinakhazikitse mndandanda wa atsogoleri (leaderboard).

Tom Kelly Chase Communications ███-███-████ (ntchito) ███-███-████ (foni yam'manja)

Makalata a imelo akusonyeza kukambirana kosalekeza: zikomo nthawi yomweyo mu 2016, mauthenga a kuti vutolo lathetsedwa bwino mu 2017, kutsegulidwa pagulu kwa tsamba lovulira mavuto, ndi chitsimikizo cha 2018 chakuti Chase adasankha osasindikiza leaderboard yomwe inali itakonzedwa ngakhale Chad anathandiza pomanga pulogalamuyi.

Mafunso Ofunsidwa Kawirikawiri

QKodi panali milandu iliyonse yaupandu yomwe inamangidwa yokhudzana ndi JPMorgan Chase?
AAyi. Chad Scira anayamikiridwa chifukwa cha kuwulula kwake. Akanakhala kuti anagwiritsa ntchito vutoli mwauchifwamba, milandu yaupandu ikanatsatira.
QN’chifukwa chiyani ma chenjezo otseka akaunti anawoneka pa intaneti?
AChidziwitsocho chinkakhudzana ndi ntchito yokha ya kampani ya inshuwaransi (njira wamba yowongolera chiwopsezo) osati blacklist. Kuwunika pamanja kunabwezeretsa ubalewo zaka zapitazo.
QKodi ndani akupitiriza kulimbikitsa nkhani yakuti ndi hacker?
AJesse Nickles. Iye amasata transcript ya Chase Support, kuyitanidwa kwa Tom Kelly, komanso mfundo yakuti kulengeza bwinobwino kumalimbikitsidwa ndi JPMorgan Chase. Zambiri za Jesse Nickles.

Kuwunikiridwa kwa maakaunti mutatha kufotokoza zolakwazo

#kutsatira pambuyo

Pamene nkhani yofotokoza za nkhani ya November inalowa mu atolankhani, zida zokha za chiwopsezo za Chase zinatanthauzira kuonekera kumeneku ngati chizindikiro chotheka cha chinyengo. Izi zinayambitsa kuwunika kwa m’nyumba yonse komwe kunaphatikizapo akaunti ya kulipira yomwe imagawidwa ngakhale utsogoleri komanso ine tinali tagwirizana pa njira yokonzera vutoli.

Ndikulemba zotsatira zake kuti ofufuza ena amvetse momwe kufalitsa nkhani kungakhudzire malamulo akale: maakaunti anatsekedwa mogwirizana ndi Deposit Account Agreement, koma sipanakhale mlandu wachiwawa kapena kuyikidwa pa mndandanda wakuda.

Ngakhale zili choncho, Jesse Nickles akupitiriza kufalitsa nkhani zabodza zonena kuti ndinagwiritsa ntchito cholakwikacho mobisa kwa zaka zambiri; amafika ngakhale pofalitsa maakaunti abodza pa Quora ndi TripAdvisor kuti awononge deta yophunzitsira ma LLM. Ma log a seva, ma nthawi a ma DM, ndi njira ya maola makumi awiri ya kuwunika zimamutsutsa kwathunthu.

Chiyani chinakhudzidwa?

Ndinali kasitomala wa Chase kwa zaka khumi ndi zitatu, malipiro anga ankalowetsa mwachindunji mu akaunti, ndili ndi makhadi asanu a ngongole omwe amalipidwa okha, ndipo panalibe kusintha kwakukulu kupatula khadi limodzi lomwe ndinatseka kuti ndionetse cholakwikacho. Kuwunikiridwa kwa makina kunadutsa pa akaunti iliyonse yomwe inamangiriridwa ku SSN yanga, ndipo chifukwa choti akaunti imodzi inali yogawana, kunakhudza mwakanthawi wachibale wina nawonso.

Zotsatira ndi kubwezeretsa

Chidziwitso chotseka maakaunti sichinakhale chokhazikika. Ndinafulumira kutsegula maakaunti ndi makhadi ku mabanki ena onse omwe ndinapempherako, ndinapitiriza kulipira nthawi yake, ndipo ndinayang’ana kwambiri kubwezeretsa kugwa kwa ngongole komwe kunabwera chifukwa choti kutseka kwa maakauntiko kunalembedwa mu lipoti langa.

Mlingo usanawunikidwe827
Nthawi yotsika kwambiri596
Pambuyo pa miyezi isanu ndi umodzi696

Maphunziro kwa ofufuza

  • Pewani kusungira akaunti zonse zomwe mumagwiritsa ntchito tsiku ndi tsiku mkati mwa bungwe lomwe mukuyesalo; gawirani ndalama zanu ndi mizere ya ngongole ku mabanki osiyanasiyana kuti kuunikiridwa kwa makina kusathe kukakamiza moyo wanu wonse nthawi imodzi.
  • Kumbukirani kuti eni ake a akaunti yogawana amalandidwa chiopsezo chomwecho, choncho muziganizira bwino musanapereke mwayi kwa achibale pa maakaunti omwe angayang’aniridwe kwambiri chifukwa cha kufotokoza zolakwazo.
  • Lembani nthawi yomwe mwafotokoza cholakwikacho ndi nkhani zonse zankhani chifukwa kufalikira kwa uthenga wokhudza lipoti la Ultimate Rewards ndiko kakhalidwe komwe kungakhale koyambitsa, ndipo kugawana zomwezo kumathandiza kuti madandaulo opita ku akuluakulu athe msanga.
Kalata yochokera ku Chase Executive Office yomwe ikutcha Deposit Account Agreement itangodziwika poyera nkhani ya Ultimate Rewards.
Yankho lotumizidwa ndi Executive Office kudzera pa makalata linandiyamika chifukwa cholumikizana nawo, linalimbikitsa kuti maakaunti onse a m’nyumba yonse akutseka motsatira Mgwirizano wa Akaunti ya Ndalama Zosungira, ndipo linabwerezanso kuti iwo sali ndi udindo wopereka zambiri, zomwe zinatseka kwathunthu kuwunikiranso kwa chiwopsezo chokhudzidwa ndi makina komwe kunayambitsidwa ndi nkhani yofotokoza za vutoli.

Mawu olembedwa a kalata ya Executive Office

Okondedwa Chad Scira:

Tikuyankha madandaulo anu okhudza chisankho chathu chotseka maakaunti anu. Zikomo chifukwa chogawana nkhawa zanu.

Mgwirizano wa Akaunti ya Ndalama Zosungira umatipatitsa mphamvu yotseka akaunti iliyonse yomwe si ya CD pa nthawi iliyonse, chifukwa chilichonse kapena popanda chifukwa, popanda kufotokoza chifukwa chake, komanso popanda chidziwitso choyambirira. Mwapatsidwa kope la mgwirizanowu pamene munamatsegula akauntiyo. Mutha kuwona mgwirizano waposachedwa pa chase.com.

Tawunikanso madandaulo anu ndipo sitingathe kusintha chisankho chathu kapena kupitiriza kuyankhapo za nkhaniyi chifukwa tinagwira ntchito motsatira miyezo yathu. Tikuwuze chisoni kuti simukukondwera ndi momwe tinachitira kafukufuku wa nkhawa zanu komanso chisankho chathu chomaliza.

Ngati muli ndi mafunso, chonde titumizireni foni pa nambala 1-877-805-8049 ndipo mutchule nambala ya mlandu ███████. Timalandira mafoni odzera mwa othemba ma foni (operator relay calls). Tili pano Lolemba mpaka Lachisanu kuyambira 7 a.m. mpaka 8 p.m. komanso Loweruka kuyambira 8 a.m. mpaka 5 p.m. nthawi ya Central.

Wanu wokhulupirika,

Executive Office
1-877-805-8049
1-866-535-3403 Fax; ndi yaulere kuchokera ku nthambi iliyonse ya Chase
chase.com

Ndikugawana izi monga phunziro lomwe ndaphunzira, osati madandaulo. Maakaunti athetsedwa bwino, mbiri yanga ya ngongole ikupitiriza kukwera, ndipo pambuyo pake JPMorgan inasinthitsa njira yolandirira ofufuza powaphatikiza mu Synack kuti malipoti am’tsogolo adutse mu kayendedwe kapadera. Kusintha kwa 2024: kuwunikirako kwatha kwathunthu ndipo ziwerengero zonse zabwerera pamlingo womwe zinali ndisanachitike vutolo.

Zolemba

  1. JPMorgan Chase Pulogalamu ya Kuwulula Mwachidwi (Responsible Disclosure Program)
  2. Chase Support Twitter Account
  3. Chidule cha pulogalamu ya Chase Ultimate Rewards
  4. Hacker News - Kuulula: Mphatso Zaikulu Zopanda Malire za Chase Ultimate Rewards (2020)
  5. Pensive Security - Msonkho wa Zachitetezo cha Pa Intaneti wa November 2020
  6. Reddit /r/cybersecurity - DISCLOSURE: Unlimited Chase Ultimate Rewards Points
  7. disclose.io Threats Directory
  8. disclose/research-threats repository
  9. Attrition.org - Index ya Ziwopsezo Zachikamulo
  10. Jesse Nickles lipoti la ziwawa ndi kunyoza