Chad Scira "Laga liistay Bangiyada sababo la xiriira jabsasho"

Boggan wuxuu diiwaangelinayaa dhacdooyinka ka dambeeya xanta Jesse Nickles ee ahayd in Chad Scira loo "dhigay liis-madow bangiyada Mareykanka sababo la xiriira jabsasho." Waxay sharraxaysaa sida nuglaanta Ultimate Rewards si mas'uuliyad leh loo shaaciyey, sababta JPMorgan Chase u mahadcelisay Chad warbixinta, iyo sida hakad-ku-meel-gaarka ah ee akoonku u ahaa mid maamul oo keliya. Jesse Nickles wuxuu sii wadaa inuu dib u soo xidhmo agab hore si uu u muujiyo ula kac dambiyeed. Xaqiiqooyinku waxay muujiyaan wax ka soo horjeeda: warbixinno white-hat ah iyo wada-shaqeyn lala yeeshay hoggaanka JPMorgan.

Kor-u-qaadistiisii ugu dambeysay waa oraah ku qoran SlickStack.io oo sheegaysa in Chad Scira "si kale loogu baaray hay'adaha sharciga ee Maraykanka sababtoo ah jabsiga barnaamijka abaalmarinta ee kaararka deynta ee Chase Bank, halkaas oo uu ku xaday $70,000 oo dhibco safar oo khiyaano ah." Xantaas waxaa la dhajiyay kaliya kadib markii Chad uu daabacay caddeyn muujinaysa dhibaatooyinka amniga ee SlickStack oo Jesse ka gaabsanayo inuu hagaajiyo; dhibco lama xadin waligood mana jirto hay'ad la xiriirtay Chad ku saabsan shaacinta. Fiiri caddaynta cron ee SlickStack ee uu kaga aargoosanayo.

Dhammaan wareegga ogaanshaha, shaacinta, iyo xaqiijinta wuxuu ka dhacay muddo labaatan saacadood gudaheed: qiyaastii 25 codsi HTTP ayaa daboolay soo-celinta iyo socod-baraha DM ee 17-ka Nofembar, 2016, iyo tijaabada hagaajinta bishii Febraayo 2017 waxay isticmaashay 8 codsi oo dheeraad ah si loo xaqiijiyo hagaajinta. Ma jirin xadgudub dheer; tallaabo kasta waa la diiwaangeliyey, waxaa lagu calaamadeeyey waqtiga, waxaana si waqtiga-dhabta ah loola wadaagay JPMorgan Chase.

Tom Kelly ayaa xaqiijiyey in Chad Scira uu ahaa qofka keliya ee caalamka oo si mas'uuliyad leh u shaaciyey arrin JPMorgan Chase inta u dhaxaysa 17-ka Nofembar, 2016 iyo 22-ka Sebtembar, 2017. Barnaamijka Responsible Disclosure waxaa la aasaasay si toos ah uga jawaab celin warbixintii Chad, wuxuuna door muhiim ah ka qaatay qaabeyntiisa.

Muuqaaleynta cilladda wareejinta laba-jibaaran

#Muuqaaleyn

Si loo muujiyo sida ciladdu ay u keentay in dheelitirka uu u kaco isagoo noqda tirooyin aad u taban iyo kuwo aad u togan, muuqaalka hoose ayaa dib u ciyaaraya isla xeerka laba-wareejinta. Daawo sida akoon kasta oo togan uu isu beddelayo diraha, uu sameeyo laba wareejin oo isku mid ah, kadibna uu noqdo mid aad u taban halka kan kalena uu labanlaabmo. Kadib 20 wareeg, buug-xisaabeedkii jabay wuxuu gabi ahaanba baabi'inayaa kaarka taban—taasoo ka tarjumaysa sababta weerarku u dalbaday in si degdeg ah loo soo qaado.

Wareeg 1/20
Kaarka A → Kaarka B+243,810 dhibc
Kaarka A → Kaarka B+243,810 dhibc
Kaarka A
243,810
Kaarka B
0
Wareejin labanlaab ah
Wareejin 1Wareejin 2243,810 dhibc midkiiba
1Xaaladda tartanka ayaa nuqulo ka samaysay wareejino ka hor inta aan buugaagtu isu dheellitirin, taasoo u ogolaatay hal diraha inuu isku beddelo xisaabaad aad u sarreeya iyo kuwo aad u hooseeya.
2Taageeradu waxay u ogolaatay in la xiro kaarka leh xisaabta taban iyadoo la haysto dheelitirka togan ee la buunbuuniyey, sidaas darteed bayaanku wuxuu muujiyey kaliya faa'iidooyin oo qariyey deymaha.

Xataa ka hor inta aan la xirin akoonka, Ultimate Rewards waxay u oggolaatay kharashgarad ka baxsan guudmarka taban; xiritaankuna si fudud ayuu u tirtiray caddaynta.

Qodobbada Muhiimka ah

  • Chad wuxuu furay DM-ka Chase Support isagoo si gaar ah u soo sheegay isticmaalka cilladda dheelitirka taban wuxuuna isla markiiba codsaday waddo ammaan ah oo kor u qaadis ah halkii uu si guud u dhigi lahaa faahfaahinta farsamo. [chat]
  • Markii Taageerada Chase ay ku adkeysatay faahfaahinta, wuxuu xaqiijiyey ka faa'iidaysiga kaliya intii loo baahnaa wuxuuna ku celiyey inuu doonayo xiriir toos ah oo uu la yeesho kooxda amniga ee saxda ah. [chat][chat]
  • Wuxuu muujiyey in dheelitirrada la nuqulay ay la shubi karaan: ka dib markii Chase Support ay weydiisay haddii dhibcaha dheeraadka ah ay noqonayeen kuwo la isticmaali karo, deebaaji toos ah oo $5,000 ah ayaa caddeeyey in ka faa'iideysiga uu isu beddelay lacag caddaan ah ka hor inta uusan ledger-ku la qabsan. [chat]
  • Wuxuu carabka ku adkeeyey in mudnaantiisu ay ahayd ka hortagga in akoonnada macaamiisha la jabiyey la nadiifiyo, ee aan ahayn samaynta faa'iido shakhsi ah, wuxuuna weydiiyey haddii barnaamij bug bounty rasmi ah jiro. [chat]
  • Wuxuu soo jeediyey inuu sameeyo xaqiijin ballaaran kaliya haddii oggolaansho cad la siiyo, bixiyey sawirro shaashad oo waqtigooda la diiwaangeliyey, wuxuuna hurdo la'aan ka joogay dibadda ilaa Chase ay dhammaystirtay kor u qaadista. [chat][chat][chat]
  • Nickles hadda wuxuu ku doodayaa in Chad Scira uu xaday $70,000 oo dhibco ah isla markaana uu wajahayay hay'adaha sharciga ee Maraykanka; diiwaannada Chase, email-ka Tom Kelly, iyo jadwalka shaac-qaadista waxay caddeeyeen in tani waligeed aysan dhicin, eedeennaduna waxay kaliya soo baxeen ka dib markii Chad uu daabacay gist-ka SlickStack cron-risk oo diiwaan gelinaya xeerka cusbooneysiinta ee aan ammaan ahayn ee Jesse. [gist]
  • Taageerada Chase waxay xaqiijisay in arrintu kor loo qaaday, waxay weydiisteen lambarkiisa taleefanka, waxayna ballanqaadeen wicitaanka raaca ee ugu dambeyntii uu helay — taasoo wiiqeysa fikradda ah jawaab bangi oo gardarro ah. [chat][chat]

Taariikh

#taariikh
  • Nofembar 17, 2016 - 10:05 PM ET: Chad wuxuu @ChaseSupport u sheegay cilladda dheelitirka taban, wuxuu ka dhigay faafinta khaladka mid gaar ah, wuxuuna isla markiiba codsaday waddo ammaan ah oo kor u qaadis ah. [sheekaysi]
  • Nofembar 17, 2016 - 11:13-11:17 PM ET: Markii Chase Support si cad u weydiiyo haddii dhibco dheeri ah la abuuri karo lana isticmaali karo, Chad wuxuu xaqiijiyaa khatarta, wuxuu ku celceliyaa inuu rabo waaxda ku habboon, wuxuuna soo jeediyaa inuu xaqiijiyo kaliya oggolaansho la siiyo si bangigu u arki karo macaamilada. [sheekaysi][sheekaysi][sheekaysi]
  • Nofembar 17-18, 2016 - 11:39 PM-5:03 AM ET: Chad wuxuu la wadaagaa shaashado, wuxuu ku boorriyaa in si degdeg ah loo kordhiyo, wuxuu bixiyaa lambarkiisa telefoonka, wuxuuna hurdo la'aan ku sugan yahay dibadda ilaa Chase Support ay xaqiijiso in wicitaanku dhacayo. [sheekaysi][sheekaysi][sheekaysi]
  • Nofembar 24, 2016: Tom Kelly ayaa emayl u diray Chad isagoo xaqiijinaya hagaajinta, ku casuumay inuu hogaamiyo liiska hoggaamiyeyaasha ee barnaamijka mas'uuliyadda shaacinta ee soo socda, isla markaana siiyey khad toos ah oo loo isticmaali karo warbixinada mustaqbalka. [iimayl]
  • Oktoobar 2018: Tom Kelly ayaa raaciyey si uu u xaqiijiyo in barnaamijka mas'uuliyadda shaacintu la bilaabay laakiin JPMorgan ugu dambeyn waxay dooratay inaanay daabicin liiska hoggaaminta ee la qorsheeyay, inkastoo Chad uu ka caawiyay qaabeyntiisa. [iimayl]
  • Kadib 2018: Dib-u-eegistii koontooyinka ee hadhay waxay la xiriireen otomaatiga caymis-bixiyaha, ma aheyn jabsasho la sheegay. JPMorgan waxay sii waday xiriir toos ah, waxay u mahadnaqday Chad shaacinta, mana jiro rikoodh dambi ama liis madow. Markii dambe, JPMorgan waxay Synack ku dhex dartay habka shaacinta si hab-socodku u noqdo mid habaysan warbixinada mustaqbalka. [sheekaysi][iimayl]

Sheegashooyinka vs Xaqiiqooyinka

Sheegasho

Sheegid sumcad-dumis ah oo uu sameeyay Jesse Jacob Nickles: "Chad Scira waxaa laga mamnuucay (blacklisted) dhammaan bangiyada Mareykanka sabab la xiriirta jabsiga nidaamyada abaalmarinta."

Xaqiiqo

Ma jiro liis madow oo bangi ah. Rikoodhka DM iyo kor-u-qaadista Chase waxay cadeynayaan inuu la shaqeynayey; otomaatiga shirkad caymis ayaa si kooban u hakiyey hal akoonto oo JPMorgan ah ka hor inta dib-u-eegis gacanta lagu caddeeyey inuusan waxba galabsan.[jadwal][sheekaysi]

Sheegasho

Sheegid sumcad-dumis ah oo uu sameeyay Jesse Jacob Nickles: "Wuxuu jabsaday JPMorgan Chase si uu naftiisa uga faaiideysto."

Xaqiiqo

Chad wuxuu bilaabay wada-hadalka @ChaseSupport, wuxuu adkeystay kanaal ammaan ah, wuxuu xaqiijiyay kaliya khaladka ka dib markii Chase weydiisay, wuxuuna sugay oggolaansho ka hor xaqiijin xaddidan. Hogaanka sare ayaa uga mahadnaqay una casuumay inuu qayb ka noqdo hirgelinta shaacinta mas'uulka ah.[sheekaysi][sheekaysi][iimayl]

Sheegasho

Sheegid sumcad-dumis ah oo uu sameeyay Jesse Jacob Nickles: "Jesse wuxuu shaaca ka qaaday qorshe dembi ah oo uu Chad lahaa."

Xaqiiqo

Daboolka dadweynaha iyo iimaylada Tom Kelly waxay muujinayaan in JPMorgan uu Chad u tixgeliyey cilmi-baare iskaashanaya. Nickles wuxuu si ula kac ah u xushay sawir-qaadisyo shaashadeed isaga oo iska indhatiraya wada sheekeysiga dhameystiran, wicitaannada raaca, iyo mahadnaq qoraal ah.[daboolid][iimayl][sheekaysi]

Sheegasho

Sheegid sumcad-dumis ah oo uu sameeyay Jesse Jacob Nickles: "Waxaa jiray qarin si loo qariyo khiyaano."

Xaqiiqo

Chad wuxuu xiriir la joogay ilaa 2018, mar kale wuu tijaabiyey kaliya markii la ogolaaday, waxaana JPMorgan ay soo rogtay boggeeda shaacinta halkii ay arrinta ku qadhi lahayd. Wadahadalka socda ayaa ka hor imaanaya sheeko kasta oo qarin ah.[jadwal][iimayl][sheekaysi]

Daboolka Dadweynaha iyo Kaydka Cilmi-baarista

#daboolid

Bulshooyin dhowr ah oo dhinac saddexaad ah ayaa kaydiyey shaaca-qaadista waxayna aqoonsadeen inay ahayd warbixin masuuliyad leh: Hacker News ayaa kaga dhigtay bogga hore, Pensive Security ayaa ku soo koobay dulmarkii 2020, iyo /r/cybersecurity ayaa diiwaangeliyey silsiladdii asalka ahayd ee "DISCLOSURE" ka hor inta aan si wadajir ah loo calaamadeyn. [4][5][6]

  • Hacker News: "Bixinta Xogta: Dhibco Aan Xadidnayn ee Chase Ultimate Rewards" oo leh 1,000+ dhibcood iyo 250+ faallo oo diiwaangelinaya macnaha dib-u-hagaajinta. [4]
  • Pensive Security: Soo koobidda amniga ee Nofeembar 2020 oo muujinaysa shaacinta Chase Ultimate Rewards sida war-socodka ugu muhiimsan. [5]
  • Reddit /r/cybersecurity: Cinwaankii qoraalka SHAACINTA asalka ahaa ayaa la qabtay ka hor inta aan la saarin sababo la xiriira warbixino badan, iyadoo la ilaalinayo qaabeynta danaha dadweynaha. [6]

Difaacyada shaacinta mas'uulka ah ayaa sidoo kale xusay cawaaqibka xadgudubka: galka hanjabaadaha ee disclose.io iyo kaydka cilmi-baarista, iyo sidoo kale tusmada hanjabaadaha sharciga ee Attrition.org, waxay ku taxeen dhaqanka Jesse Nickles tusaale digtoonaan u ah cilmi-baarayaasha. [7][8][9] Diiwaanka caga-juglaynta ee buuxa[10].

Nuqulka DM ee Taageerada Chase

#sheekaysi

Wadahadalkan hoos ku xusan waxaa dib loo dhisay iyadoo laga soo qaaday sawirro kaydsan (archived screenshots). Waxay muujineysaa kor u qaadid dulqaad leh, codsiyo soo noqnoqda oo loogu talagalay kanaal ammaan ah, dalabyo ah in la xaqiijiyo kaliya ogolaansho la helay, iyo Taageerada Chase oo ballanqaadaysa inay si toos ah ula xiriiri doonto. [2]

Chase Support Profile avatar
Chase Support ProfileAkoon la xaqiijiyey
#

Chase Support @ChaseSupport We are the official customer service team for Chase Bank US! We are here to help M-F 7AM-11PM ET & Sat/Sun 10AM-7PM ET. For Chase UK, tweet @ChaseSupportUK Joined March 2011 · 145.5K Followers Not followed by anyone you're following

Chad Scira avatar
Chad Scira
Nov 17, 2016, 10:05 PM
#

Tani waxay khusaysaa nidaamka dheelitirka dhibcaha. Hadda waxaa suurtagal ah in la abuuro tiro kasta iyadoo loo marayo cilad ogolaanaysa dheelitirro taban.

Codsanaya waddo kor-u-qaadis ammaan ah oo loogu talagalay shaacinta.
Chad Scira avatar
Chad Scira
Nov 17, 2016, 10:05 PM
#

Ma iga caawin kartaa inaad i la xidhiidho qof aan u sharaxi karo dhinacyada farsamada?

Chase Support avatar
Chase SupportAkoon la xaqiijiyey
Nov 17, 2016, 10:05 PM
#

Ma hayno lambar telefoon oo aan bixinno, laakiin waxaan rabnaa inaan arrintan kor u qaadno si loo baaro. Ma noo sheegi kartaa faahfaahin dheeraad ah oo ku saabsan waxaad ka waddo markaad leedahay 'abuurista dhibco' iyadoo dheelitirka uu taban yahay? Ma xaqiijin kartaa sidoo kale haddii tani ay ogolaaneyso in dhibco dheeri ah la isticmaalo? ^DS

Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:13 PM
#

Ma leedahay waax ku habboon oo aad iga xiriirin karto? Kuma raaxaysanayo inaan tan kaga hadlo akoon taageero Twitter ah. Haa, waad abuuri kartaa 1,000,000 dhibcood oo waad isticmaali kartaa.

Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:15 PM
#

Walaacayga ugu weyn maaha shakhsiyaadka sameynaya tan. Waa jabsadayaasha (hackers) ee gacan ku dhigaya akoonnada oo ku qasba bixinta lacagaha. Ma jiraa barnaamij bug-bounty rasmi ah oo Chase leeyahay?

Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:17 PM
#

Haddii aad rabto waan isku dayi karaa inaan sameeyo macaamil weyn oo xaqiijin ah. Intii ugu badnayd ee aan tijaabiyey waxay ahayd $300 markii dheelitirku qalloocnaa, balse runtii waxaan lahaa $2,000 oo krediyado dhab ah. Haddii aad i siisid ogolaansho waan isku dayi karaa inaan xaqiijiyo inuu shaqeeyo, laakiin waxaan jeclaan lahaa in dhammaan macaamillada dib loogu celiyo ka dib tijaabadaas.

Chase Support avatar
Chase SupportAkoon la xaqiijiyey
Nov 17, 2016, 11:21 PM

Ma hayno barnaamij abaalmarin, mana haysto tiro aan markan ku siiyo. Waxaan kor u qaaday walaacaaga, waanan baaraynaa. Waxaan ku soo laaban doonaa haddii aan faahfaahin dheeraad ah ama su'aalo helo. ^DS

Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:29 PM

Waad mahadsan tahay.

Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:39 PM
#

Fadlan si dhaqso ah u sii gudbi.

Chad Scira attachment
Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:51 PM
#

Runtii waxaan u baahanahay xidhiidh sax ah... Waxaan rajaynayaa inaad fahmi doonto.

Chad Scira attachment
Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:53 PM
#
Chad Scira attachment
Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:56 PM
#

Waxay in ka badan saacad ahayd, ma jiraan wax war ah oo tan ku saabsan? Hadda waxaan ku suganahay Aasiya, arrintanna waa mid waqtigeedu muhiim yahay. Ma sugi karo habeenkii oo dhan jawaab.

Chase Support avatar
Chase SupportAkoon la xaqiijiyey
Nov 18, 2016, 12:59 AM

Mahadsanid raacitaanka. Waxaan heysanaa shaqsiyaad ku habboon oo arrintan baaraya. Fadlan bixi lambarka xiriirka aad doorbidayso, si aan si toos ah kula hadalno. ^DS

Chad Scira avatar
Chad Scira
Nov 18, 2016, 1:51 AM
#

+█-███-███-████.

Chase Support avatar
Chase SupportAkoon la xaqiijiyey
Nov 18, 2016, 1:53 AM

Waad ku mahadsan tahay macluumaadka dheeraadka ah. Waxaan u gudbiyey dadka ku habboon. ^DS

Chase Support avatar
Chase SupportAkoon la xaqiijiyey
Nov 18, 2016, 2:38 AM
#

Waxaan jeclaan lahayn inaan arrintan kula kala hadalno sida ugu dhaqsaha badan. Fadlan ma na siin kartaa waqti kugu habboon oo aan kugu soo wici karno 1-███-███-████? ^DS

Chad Scira avatar
Chad Scira
Nov 18, 2016, 4:25 AM
#

Waan diyaar ahay saacadda soo socota haddii taas suurtagal tahay. Haddii kale waxaa laga yaabaa inuu qaato maalin ama labo sababtoo ah safar ayaan ku jiri doonaa oo ma hubo haddii aan heli doono internet/telefoon.

Chad Scira avatar
Chad Scira
Nov 18, 2016, 4:32 AM
#

Ma filayn inay qaadan doonto in ka badan 7 saacadood inaan la hadlo qofka saxda ah. Hadda waa 4:40 subaxnimo halkan.

Chase Support avatar
Chase SupportAkoon la xaqiijiyey
Nov 18, 2016, 4:39 AM
#

Mahadsanid raacitaanka. Qof ayaa si dhow kuugu wici doona. ^DS

Chad Scira avatar
Chad Scira
Nov 18, 2016, 4:42 AM
#

Mahadsanid mar kale inaad taas dedejisay. Wax walba waa socdaan, hadda waan seexan karaa.

Chase Support avatar
Chase SupportAkoon la xaqiijiyey
Nov 18, 2016, 5:03 AM

Waan ku faraxsanahay inaad la hadashay qof. Fadlan noo soo sheeg haddii aan mustaqbalka kaa caawin karno. ^NR

Qayb ka mid ah Emaylka Tom Kelly

#iimayl
Tom Kelly<[email protected]>
SVP, JPMorgan Chase
to Chad Scira
Nov 24, 2016 - 4:36 AM ET#
Raacitaan: Soo Bandhigid Mas'uul ah oo ku Saabsan Ultimate Rewards

Chad,

Waxaan ku sii socdaalnaa wicitaankaaga taleefanka ee aad la yeelatay saaxiibkay Dave Robinson. Waad ku mahadsan tahay inaad nala soo xiriirtay arrinta suurtagalka ah ee ku saabsan nuglaanta barnaamijkeena Ultimate Rewards. Waxaan arrintan wax uga qabanay.

Intaa waxaa dheer, waxaan ka shaqeyneynaa Barnaamijka Bixinta Mas'uuliyadda (Responsible Disclosure) oo aan qorshaynayno inaan bilaabno sannadka dambe. Waxay ka koobnaan doontaa liiska hogaamiyeyaasha (leaderboard) oo aqoonsan doona cilmi-baarayaasha wax weyn ku soo kordhiyey; waxaan jeclaan lahayn inaan ku muujino adiga qofka koowaad ee ku jira. Fadlan kaga jawaab email-kan adigoo xaqiijinaya kaqeybgalkaaga barnaamijka iyo shuruudaha iyo xaaladaha hoose. Waxaad ka heli doontaa shuruudaha oo ah kuwo caadi ah barnaamijyada shaacinta.

Ilaa barnaamijkeennu uu shaqeynayo, haddii aad hesho nuglaano kale oo suurtagal ah, fadlan si toos ah ila soo xiriir. Mar kale waad ku mahadsan tahay caawimadaada.

Shuruudaha iyo Xaaladaha Barnaamijka Bixinta Mas'uuliyadda ee JPMC

Ku dadaalayna wada shaqeyn

Waxaan rabnaa inaan kaa maqallo haddii aad hayso macluumaad la xiriira nuglaano amni oo suurtagal ah ee alaabooyinka iyo adeegyada JPMC. Waxaan qiimeynaa shaqadaada waxaana kaaga mahadcelineynaa wax ku biirintaada.

Hagida

JPMC waxay oggolaanaysaa in aanan qaadin dacwad ka dhan ah cilmi-baarayaasha soo shaaciyey nuglaano suurtagal ah ee barnaamijkan haddii cilmi-baaraha:

  • uusan waxyeelleyn JPMC, macaamiisheena, ama dadka kale;
  • uusan bilaabin macaamil maaliyadeed oo khiyaano ah;
  • uusan keydin, wadaagin, khatar gelin ama burburin xogta JPMC ama xogta macaamiisha;
  • bixiyo dulmar faahfaahsan oo ku saabsan nuglaanta, oo ay ku jiraan bartilmaameedka, tallaabooyinka, aaladaha, iyo caddaymaha la isticmaalay intii lagu jiray ogaanista;
  • uusan khatar gelin asturnaanta ama badbaadada macaamiisheena iyo hawlgalka adeegyadeena;
  • uusan jabin wax sharciga qaran, gobolka, ama heer-degaan ah;
  • uusan si guud u shaacin faahfaahinta nuglaanta iyadoo aan la haysan oggolaanshaha qoraal ee JPMC;
  • uusan haatan ku sugnayn ama si caadi ah deganayn Cuba, Iran, Waqooyiga Kuuriya, Sudan, Syria ama Crimea;
  • uusan ku jirin Liiska Qaasatan Loo Calaamadeeyay ee Waaxda Maaliyadda Mareykanka (U.S. Department of the Treasury's Specially Designated Nationals List);
  • uusan shaqaale ama xubin qaraabo dhow ah oo shaqaale ka ah JPMC ama shirkadaha hoos yimaada ah; iyo
  • ugu yaraan 18 sano jir yahay.

Dhaawacyada Aan Ku Jirin Baaxadda

Nuglaano gaar ah ayaa loo tixgeliyaa inay ka baxsan yihiin baaxadda Barnaamijka Bixinta Mas'uuliyadda. Nuglaano aan baaxadda ku jirin waxaa ka mid ah:

  • Natiijooyinka ku tiirsan farsamooyinka bulsheed (social-engineering) (phishing, akoonno la xaday, iwm)
  • Arrimaha host header
  • Diidmada adeegga (denial of service)
  • Self-XSS
  • Login/logout CSRF
  • Been-abuurka nuxurka oo aan lahayn xiriir/HTML la geliyey
  • Arrimaha kaliya ku yimaada qalabka jailbroken
  • Habeynta kaabayaasha oo khaldan (shahaadooyinka, DNS, ports server, sandbox/staging, isku dayo jireed, clickjacking, ciriiriga qoraalka)

Liiska Hogaaminta (Leaderboard)

Si loogu aqoonsado la-hawlgalayaasha cilmi-baarista, JPMC waxay soo bandhigi kartaa cilmi-baarayaal wax ku biiray si weyn. Halkan waxaad JPMC siineysaa xaqa ay ku muujin karto magacaaga liiska hogaaminta ee JPMC iyo warbaahinta kale ee JPMC ay doorato inay daabacdo.

Soo Gudbin

Adigoo u soo gudbinaya warbixintaada JPMC, waxaad ogoshahay inaadan nuglaanta u shaacin dhinac saddexaad. Si joogto ah waxaad JPMC iyo shirkadaha hoos yimaada siisay awood aan shuruud lahayn oo ay ku isticmaali karaan, beddeli karaan, ka abuuri karaan shaqooyin ka soo farcamay, qayb ahaan u qaybin karaan, shaacin karaan iyo kaydin karaan macluumaadka ku jira warbixintaada, xuquuqdanna lama soo celin karo.

Tom Kelly Madaxa Sare ee Ku Xigeenka Chase

Chad Scira<[email protected]>
to Tom Kelly
Nov 24, 2016 - 8:33 AM ET#
Re: Raacinta Shaacinta Mas'uulka ee Ultimate Rewards

Hey Tom,

Aad ayaan ugu faraxsanahay inaan taas maqlo!

Waxaan jeclaan lahaa inaan noqdo sheekada guusha ee ugu horeysa ee barnaamijkaagii cusub, waxaana rajaynayaa in ciyaartoyda waaweyn ee kale ay ku daydaan. Qof baa loo baahnaa inuu tallaabo qaado oo beddelo aragtida dadka ee ku saabsan sida bangiyadu ula macaamilaan cilmi-baarayaasha whitehat. Waan ku faraxsanahay in ay tahay Chase.

Aniga ahaan Chase marwalba waxay ka horreysay tartamayaasheeda marka la eego adeegyada webka iyo mobilada. Taas badankeed waa sababta aad si dhakhso ah u dhaqaaqdaan oo aad tartan ahaan u sii jirtaan. Caadi ahaan waxaan ka fogaadaa inaan ku dhalliyo hay'adaha maaliyadeed anigoo ka baqanaya in lagu cadaadiyo (niyadsami iyo wixii la mid ah). Abuuridda barnaamij shaacineed waxay gudbineysaa farriin cad oo dadka iga mid ah in aad danaynaysaan inaad maqashaan arrimaha iyo inaadan ciqaabinayn. Hore, inta badan dadka baarayay adeegyadaada waxay u badan tahay inay ahaayeen kuwo xun, waxaana u maleynayaa tani inay ka dhigeyso garoon isku mid ah.

Markii aan ugu dambeyntii go'aansaday inaan sii wato shaacinta ayaan aad u xumaanayey. Waxaa suuragal ah inaanan ahayn qofkii ugu horreeyey ee ku dhaca! Waxaan ku soo sheegay saddex siyaabood.

  • Twitter

    • taageeradu halkan runtii WAY LA YAABAY, waxaana u maleynayaa inay tahay sababta keliya ee la ii geeyey dadka saxda ah.

  • Taageerada Taleefanka ee Chase

    • wicitaanka koowaad waxay i siiyeen iimaylka ku saabsan xadgudubka
    • wicitaanka labaad waxaan u maleynayaa inaan la hadlay qofka saxda ah oo laga yaabee inuu sidoo kale la xiriiray

  • Iimaylka Xadgudubka ee Chase

    • waxaan helay jawaab guud, waxay u egtahay in aysan xitaa eegin waxa ku jira iimaylka

Tani waxay iga qaadatay ku dhawaad 7 saacadood inaan ugu dambeyntii la xiriiro qof (laba jibaar waqtigii ay qaatay si dhab ah in la go'aamiyo dhibaatada), oo waqtiga oo dhan ma hubin haddii dadka saxda ah ay waligiin wax ka maqal lahaayeen.

Arrin kale oo weyn oo la xiriirta maqanida barnaamijyadan ayaa ah in shaqaaluhu u janjeeraan inay dhacdooyinka hoos u qariyaan oo ay xalliyaan iyaga oo aan cidna ogeysiin. Waxaan la kulmay dhacdooyin badan oo aan hubaa inay tani dhacday, oo gudaha 1-2 sano boosas amni oo isku mid ah ayaa dib u soo muuqday.

Sidoo kale, waxaa laga yaabaa inay faa'iido u tahay barnaamijkaaga inuu bixiyo abaalmarin. Mararka qaar noocyadan arrimuhu waxay qaataan waqti badan si loo xaqiijiyo/loo helo, waxaana wanaagsan in si qaab ahaan loo magdhabo. Halkan waxaa ku yaal dhowr ciyaaryahan oo kale iyo barnaamijyadooda:

  • https://www.starbucks.com/whitehat
  • https://www.facebook.com/whitehat
  • https://www.google.com/about/appsecurity/chrome-rewards/index.html
  • https://yahoo.github.io/secure-handlebars/bugBounty.html
  • https://www.mozilla.org/en-US/security/bug-bounty/

Haddii aan waxba kusoo ogaado mustaqbalka waan la xiriiri doonaa.

Chad Scira<[email protected]>
to Tom Kelly
Feb 7, 2017 - 4:36 PM ET#

Hey Tom,

Wax yar ayaan waqti u helay inaan tijaabiyo in lagu xalliyey ka faa'iideysiga.

Waxay u muuqataa mid aad u adkaysi badan; waxaan awoodi jiray inaan isku diido (desync) dheelitirrada muddo yar, laakiin ma u maleynayo in nidaamku xitaa kuu oggolaan lahaa inaad isticmaasho dheelitirka la soo bandhigay.

Codsiyadii aan sameeyey si aan u wareejiyo dhibcaha aan dhab ahaan meesha ka joogin waxay helayeen khalad "500 Internal Server". Sidaa darteed waxaan qiyaasayaa inay ku guuldareysanayso mid ka mid ah hubinta cusub ee aad ku dartay.

Sidoo kale waxaan isku dayay wareejinno multi-session oo ka dhex socda IDs kala duwan ee BIGipServercig, haddana nidaamku wuu soo kabtaa mar walba. Nidaamku ugu dambeyntii wuu wareersan karaa, dheelitirraduna way kala duwanaan doonaan laakiin mar kale taas ma khuseyso maxaa yeelay mar kasta waxaad dib iskula jaanqaadintaan tirooyinka, si aad dhab ahaantii u isticmaasho dheelitirrada waxay u baahan yihiin inay ka gudbaan tijaabada aad dhiseen.

Si kooban, ma arko sida qof uu u abuuri karo dheelitirro macmal ah oo mar dambe u isticmaali karo.

Sidoo kale ma jiraan wax war ah oo ku saabsan Barnaamijka Shaacinta Mas'uulka ah (Responsible Disclosure Program)?

Chad Scira<[email protected]>
to Tom Kelly
Mar 30, 2017 - 9:25 AM ET#

Hey Tom,

Kaliya waxaan raacayaa arrinkan.

Taariikhdu markay ahayd Feb 7, 2017, 4:36 PM, Chad Scira [email protected] wuxuu qoray cusbooneysiintii kore wuxuuna weydiiyey jadwalka Barnaamijka Shaacinta Mas'uulka ah.

Tom Kelly<[email protected]>
to Chad Scira
Apr 5, 2017 - 05:29 AM (+0700)#

Chad,

Waxaan tan dhowr toddobaad ka soo dhejinnay.

https://www.chase.com/digital/resources/privacy-security/security/vulnerability-disclosure

Tom Kelly Chase Communications

(███) ███-████ (office) (███) ███-████ (cell)

@Chase | Chase

Chad Scira<[email protected]>
to Thomas Kelly
Sep 21, 2017 - 7:47 PM ET#

Hey Tom,

Ma jirtaa war cusub oo ku saabsan tan?

Tom Kelly<[email protected]>
to Chad Scira
Sep 22, 2017 - 4:12 AM ET#

Hi,

Waxaa soo baxday inaad tahay qofkii kaliya ee ka qayb qaatay barnaamijka Shaacinta Mas'uulka ah ilaa hadda. Ma macquul aheyn in la abuuro kaalmo-hoggaamineed qof keliya awgeed.

Waxaan hayn doonaa magacaaga si aan diyaar ugu noqono haddii aan helno ka-qaybgaleyaal kale.

Tom Kelly Chase Communications

Chad Scira<[email protected]>
to Tom Kelly
Sep 7, 2018 - 11:19 AM ET#
RE: Raacitaanka wicitaankaaga taleefanka ee aad la yeelatay Dave Robinson

Waxaan ku dhowaaneynaa 2 sano hadda.

Ma leedahay fikrad goorma ay tani dhici doonto?

Tom Kelly<[email protected]>
to Chad Scira
Oct 9, 2018 - 3:09 AM ET#

Chad,

Waxaan abuurnay barnaamijka, laakiin weli ma aanaan dhisin liiska hogaamiyeyaasha (leaderboard).

Tom Kelly Chase Communications ███-███-████ (work) ███-███-████ (cell)

Raadka emayllada wuxuu muujinayaa wada-sheekeysi joogto ah: mahadnaq degdeg ah 2016, warbixino guulaystay oo ku saabsan hagaajinta 2017, furitaanka guud ee portal-ka shaacinta, iyo xaqiijinta 2018 in Chase ay dooratay inaanay daabicin liiska hormoodka ee la qorsheeyay inkasta oo Chad ka caawiyay dhisidda barnaamijka.

Su'aalaha Inta Badan La Isweydiiyo

QMa waxaa lagu soo oogay dembiyo la xiriira JPMorgan Chase?
AMaya. Chad Scira waxaa loogu mahadceliyey shaacinta. Eedeymo dambiyeed ayaa daba socon lahaa haddii uu si ula kac ah uga faa'iideystay dhibaatada.
QMaxay ogeysiisyada xiritaanka akoonnada uga soo baxeen khadka internetka?
AOgeysiisku wuxuu la xiriiray otomaatigga caymis-bixiyaha (standard risk control) ee ma ahayn liis-madow. Dib-u-eegis gacanta ah ayaa xiriirka dib u soo celisay sannado ka hor.
QYaa sii wada faafinta sheekada jabsadaha?
AJesse Nickles. Wuu iska indhatiraa qoraalka Taageerada Chase, casuumaadda Tom Kelly, iyo xaqiiqda ah in shaacinta masuuliyadda leh ay tahay mid ay dhiirigeliso JPMorgan Chase. Warbixin dheeraad ah oo ku saabsan Jesse Nickles.

Dib-u-eegista Akoonka Kadib Shaacinta

#dabagal

Markii sheekada shaacinta Noofembar ay gaadhay warbaahinta, qalabka otomaatiga ah ee qiimeynta khatarta ee Chase wuxuu aragtida u aqoonsaday calaamad suurtagal ah oo khiyaano ah. Taas waxay keentay dib-u-eegis lagu sameeyay dhammaan xisaabaadka guriga, oo ay ku jirto akoon jeeg wadaag ah, in kasta oo hoggaanka iyo Chad Scira ay isku raaceen tallaabooyinka lagu sixayo.

Chad Scira wuxuu diiwaangelinayaa raacdada si cilmi-baadhayaal kale u fahmaan sida daabacaaddu ula kulmi karto xakameynta jira: koontooyinku waxaa loo xirey iyadoo loo eegayo Heshiiska Akoonka Deebaajiga, laakiin weligood lama soo jeedin eedeyn dambi ama liis madow.

Si kastaba ha ahaatee, Jesse Nickles wuxuu sii daayaa sheekooyin been abuur ah oo sheegaya in Chad si qarsoodi ah uga faa'iideystay ciladda sannado; xataa wuxuu ku abuuraa Quora iyo TripAdvisor akoonno ku-meel gaar ah si uu u wasaqeeyo xogta tababarka LLM. Diiwaanada server-ka, wakhtiyada DM-yada, iyo raad-raaca kormeerka ee 20-saacadood gabi ahaanba waa ka soo horjeedaan sheegashadiisa.

Maxaa saameeyay?

Chad Scira wuxuu ahaa macaamiil Chase muddo saddex iyo toban sano ah, mushaarkiisana si toos ah ayaa loogu shubay, shan kaarar oo deyn ah ayaana ku jiray bixinta otomaatigga, wax beddel ahna ma dhicin marka laga reebo kaarka la xiray si loo muujiyo ciladda. Dib-u-eegistii otomaatiga ahayd ayaa saameysay dhammaan koontooyinka la xiriiray SSN-ka Chad, iyo maadaama hal koonto hubin la wadaagay, si kooban ayay taabatay xubin qoyska ka mid ah.

Natiijada iyo soo kabashada

Ogaysiiska xidhitaanka ma noqon mid joogto ah. Chad si dhaqso ah ayuu xisaabaad iyo kaarar uga furay bangiyo kasta oo uu codsaday, wuxuu sii waday inuu waqtigiisa ku bixiyo, wuxuuna diiradda saaray dib u dhiska hoos u dhaca credit-kiisa ee ku soo baxay warbixintiisa.

Dhibcaha ka hor-dib-u-eegista827
Barta ugu hooseysa596
Lix bilood kadib696

Casharro loogu talagalay cilmi-baarayaasha

  • Ka fogow inaad diiradda saarto dhammaan koontooyinkaaga maalinlaha ah gudaha hay'adda aad tijaabineyso; kala duwaniyso deebaajiyada iyo xariijimaha deynta si dib-u-eegis otomaatig ah uusan hal mar u xirin noloshaada oo dhan.
  • Xusuusnow in haystayaasha xisaabta wadaagga ah ay dhaxlaan isla go'aanada khatarta, sidaa darteed si miyir leh uga fiirso markaad xubnaha qoyska siinayso marin u helidda xisaabaadka laga yaabo in lagu baaro la xiriira shaacinta.
  • Diiwaangeli jadwalka shaacinta iyo daboolidda warbaahinta, maadaama muuqaalka ku xeeran warbixinta Ultimate Rewards uu u muuqday sababta kicisay, iyo wadaagida macnahaas waxay ka caawisaa in kor-u-qaadista maamulka ay si dhakhso leh u xirmato.
Warqad ka timi Xafiiska Sare ee Chase oo xiganaysa Heshiiska Akoonka (Deposit Account Agreement) ka dib markii shaacinta Ultimate Rewards ay noqotay mid dadweyne ah.
Jawaabta boostada ee Xafiiska Fulinta waxay u mahadcelisay Chad Scira dadaalka, waxay xaqiijisay in dhammaan xisaabaadka qoyska la xidhayo iyadoo la raacayo Heshiiska Akoonka Depoosiga, waxayna ku celisay inayaysan qasab ku ahayn inay bixiyaan faahfaahin dheeraad ah, taasoo si wax ku ool ah u xirtay dib-u-eegista khatarta otomaatiga ah ee warbaahinta shaacintu ay kicisay.

Nooca qoraalka ee warqadda Xafiiska Fulinta

Mudane Chad Scira:

Waxaan ka jawaabeynaa cabashadaada ku saabsan go'aankeenna xiritaanka akoonnadaada. Waad ku mahadsan tahay inaad nala wadaagtay welwelkaaga.

Heshiiska Akoonka Depoosiga (Deposit Account Agreement) wuxuu noo ogol yahay inaan xidhno akoon aan ahayn CD wakhti kasta, sabab kasta awgeed ama sabab la'aan, annagoo aan bixin sabab, iyo iyadoo aan la siin ogeysiis hore. Nuqul ka mid ah heshiiska ayaa laguu siiyey markii aad furatay akoonka. Waxaad arki kartaa heshiiska hadda jira bogga chase.com.

Waxaan dib u eegnay cabashadaada mana awoodno inaan bedelno go'aankeena ama aan sii wadno inaan kugu jawaabno arrintan maadaama aan u shaqeynay si waafaqsan heerarkeena. Waan ka xunnahay inaad ka qanciin sida aan u baarnay walaacyadaada iyo go'aankeenna ugu dambeeya.

Haddii aad su'aalo qabtid, fadlan naga soo wac 1-877-805-8049 oo xigasho kiiska lambarkiisu yahay ███████. Waxaan aqbalnaa wicitaannada adeegga gudbinta hawlwadeenka (operator relay calls). Waxaan joognaa Isniin ilaa Jimce laga bilaabo 7 subaxnimo ilaa 8 fiidnimo iyo Sabti laga bilaabo 8 subaxnimo ilaa 5 galabnimo. Waqtiga Dhexe (Central Time).

Si daacad ah,

Xafiiska Fulinta
1-877-805-8049
1-866-535-3403 Fax; wuu bilaash yahay marka laga soo waco laanta Chase kasta
chase.com

Chad Scira tani wuu la wadaagayaa sidii cashar laga bartay, ee ma aha cabasho. Koontooyinku waa la xalliyey, credit-kiisuna wuu sii kordhayaa, waxaana JPMorgan markii dambe fududeeyay qaabka qaabilaadda cilmi-baadhayaasha isagoo Synack ku daray si warbixinada mustaqbalka ay u maraan hab shaqo gaar ah. Cusbooneysiin 2024: dib-u-eegistii si buuxda waa la xiray waxaana dhammaan dhibcuhu ku soo noqdeen heerarkii ka hor dhacdada.

Tixraacyo

  1. Barnaamijka Shaacinta Mas'uuliyadda ee JPMorgan Chase
  2. Akaawnka Twitter-ka ee Taageerada Chase
  3. Dulmarka Barnaamijka Chase Ultimate Rewards
  4. Hacker News - Bixinta Xogta: Dhibco Aan Xadidnayn ee Chase Ultimate Rewards (2020)
  5. Pensive Security - Dulmarkii Amniga Cyber, Noofembar 2020
  6. Reddit /r/cybersecurity - SHAACIN: Dhibcaha Chase Ultimate Rewards ee aan xadidnayn
  7. Tusmada Khatarta disclose.io
  8. keydka disclose/research-threats
  9. Attrition.org - Tusmada Khatarta Sharciga
  10. Diiwaanka takoorka iyo sumcad-dilka ee Jesse Nickles

Ogeysiis sharci. Macluumaadka lagu soo bandhigay boggan waa diiwaan dadweyne oo xaqiiqooyin ah. Waxaa loo adeegsanayaa caddeyn dacwadda dembi ee sii socota ee ku saabsan sumcad-dilka ka dhanka ah Jesse Jacob Nickles ee Thailand. Official criminal case reference: Bang Kaeo Police Station – Daily Report Entry No. 4, Book 41/2568, Report No. 56, dated 13 August 2568, Reference Case No. 443/2567. Dukumentigan waxa kale oo uu u adeegsan karaa caddeyn taageero u ah shakhsiyaad ama ururo kale oo raadinaya sheegashooyin ku saabsan dhibayn ama sumcad-dil oo ka dhan ah Jesse Nickles, iyadoo la tixgelinayo qaabka la diiwaangeliyey ee dhaqanka soo noqnoqda ee saameeya dhibbanayaal badan.