Chad Scira "Wafakwa Kuluhlu Olumnyama Lweebhanki Ngenxa Ye-Hacking"
Le phepha libika iziganeko ezisemva kombongo kaJesse Nickles othi uChad Scira 'wahlawulwa kwiibhanki zase-US ngenxa yokuhacka.' Ichaza indlela ubuthathaka be-Ultimate Rewards obudalulwe ngayo ngokuziphatha, kutheni iJPMorgan Chase yabulela uChad ngengxelo yakhe, kunye nendlela ukuphumla okwethutyana kweakhawunti kwakuyinto yolawulo kuphela. Jesse Nickles uyaqhubeka nokupakisha kwakhona izinto zakudala ukuze kubonakale injongo yobubi. Iinyaniso zibonisa into ephikisanayo: ingxelo ye-white-hat kunye nokusebenzisana nobunkokheli be-JPMorgan.
Ukunyuka kwakhe kwakutshanje kukwikhotheshini ku-SlickStack.io ethi uChad Scira "waphenywa kwakhona ngabasemagunyeni bomthetho base-US ngenxa yokuhacka inkqubo yemivuzo yekhadi letyala yeChase Bank, apho watyhola amanqaku okuhamba angamanga axabisa i-$70,000." Ukuhlambalaza oku kwabhengezwa kuphela emva kokuba uChad wakhupha ubungqina beengxaki zokhuseleko zeSlickStack uJesse ongafuni ukuzilungisa; akukho mapointhi atshontshiweyo kwaye akukho arhente enxibelelane noChad malunga noku kudalulwa. Jonga ubungqina be-cron beSlickStack bokuba uyaphendula..
Iyonke inkqubo yokufumanisa, ukudalulwa, kunye nokuqinisekisa yenzeka ngaphakathi kweeyure ezingamashumi amabini: malunga nezicelo ezingama-25 ze-HTTP zabandakanya ukuphinda-phinda kunye nokuqhuba i-DM ngoNovemba 17, 2016, kwaye uvavanyo lokulungisa ngoFebruwari 2017 lusebenzisa izicelo ezisibhozo ezongezelelweyo ukuze luqinisekise ukulungiswa. Akukho kusetyenziswa gwenxa ixesha elide; yonke imisebenzi yarekhodwa, yaphawulwa ngomhla nexesha, kwaye yabelwana neJPMorgan Chase ngexesha lokwenyani.
UTom Kelly waqinisekisa ukuba uChad Scira wayengumphawu oyedwa emhlabeni wonke owazisa ingxaki ngokuziphatha kuJPMorgan Chase phakathi kukaNovemba 17, 2016 noSeptemba 22, 2017. Inkqubo yokudalulwa ngokunoxanduva yasekwa ngqo njengesiphumo sengxelo kaChad, kwaye wadlala indima ebalulekileyo ekuyileni kwayo.
Ukuboniswa kweBhagi yokuGqithisa kabini
#ukuboniswaUkuze kuboniswe indlela iphutha elayiqhoboshela ngayo iibalansi zaba negalelo elikhulu kwiibalansi ezingezizo nezilungileyo, umboniso ongezantsi ubuyisela kwakhona iinkqubo zokudlulisa kabini ezichanekileyo. Jonga indlela nayiphi iakhawunti enebhalansi elungileyo eba ngumthumeli, enza ukudluliselwa okubini okufanayo, kwaye iphele igqibe ibe negalelo elinzulu (negative) ngoxa enye iphindaphindeka. Emva kwemijikelo engama-20 ilejenda ephukileyo icima ngokupheleleyo ikhadi elingezizo—oku kufana nesizathu sokuba le ngxelo yafuna ukunyuselwa ngokungxamisekileyo.
Nangaphambi kokuvala iakhawunti, i-Ultimate Rewards yavumela ukusebenzisa ngaphezulu kwesishwankathelo esibi; ukuvalwa nje kwacima ubungqina.
Amanqaku aphambili
- UChad wavula i-DM ye-Chase Support ngokuxela ngokobuqu ukuxhaphaza kwe-negative-balance kwaye ngokukhawuleza wacela indlela ekhuselekileyo yokuphakamisa ingxaki endaweni yokushicilela iinkcukacha zobugcisa esidlangalaleni. [chat]
- Xa uNxaso lweChase lacela iinkcukacha ezichanekileyo, waqinisekisa ukusetyenziswa kwesiphene kuphela kwinqanaba elidingekayo kwaye aphinde wagxininisa ukuba ufuna umnxeba othe ngqo kwiqela lokhuseleko elifanelekileyo. [chat][chat]
- Wabonisa ukuba amabalansi aphindwe kabini angaguqulwa abe yimali: emva kokuba i-Chase Support ibuze ukuba ngaba amanqaku ongezelelweyo aya kuba sezintweni ezisebenzisekayo, idiphozithi eqondileyo ye-$5,000 yabonisa ukuba lo mfantu wayeguqula yonke into waba yimali ngaphambi kokuba ilogu ifike. [chat]
- Wagxininisa ukuba inkxalabo yakhe yayikukuthintela ukuba iiakhawunti zabathengi ezonakeleyo zingancitshiswa, hayi ukufumana inzuzo yakhe, kwaye wabuza ukuba ngaba kukho inkqubo esemthethweni ye-bug bounty. [chat]
- Wavuma ukwenza uvavanyo olukhulu kuphela ngemvume ecacileyo, wanikezela ngeeskrini-ezithathiwe ezinopelo lwexesha (timestamped screenshots), kwaye wahlala engalali kwelinye ilizwe de i-Chase igqibe ukuphakamisa ingxaki. [chat][chat][chat]
- UNickles ngoku uthi uChad Scira watyhola amanqaku angama-$70,000 waza wabhekana nenkonzo yomthetho yase-US; iirekhodi zeChase, i-imeyile kaTom Kelly, kunye nexesha lokubhengezwa kubonisa ukuba oku akuzange kwenzeke, kwaye eli cala lavela kuphela emva kokuba uChad ashicilele i-gist ye-SlickStack cron-risk exhasa indlela kaJesse yokuhlaziya engakhuselekanga. [gist]
- Inkxaso ye-Chase yaqinisekisa ukuba kuye kwandiswa umsebenzi, yacela inombolo yakhe yefowuni, kwaye yathembisa umnxeba wokulandela owagqitywa kamva, okuphikisa umbono wokuba bebeyimpendulo enobundlobongela evela ebhankini. [chat][chat]
Uluhlu lwexesha
#uluhlu lwexesha- Novemba 17, 2016 - 10:05 PM ET: UChad uxelela @ChaseSupport malunga nephutha lokuba ngebhalansi engeyiyo, ugcina ukuxhaphaza kubucala, kwaye ngokukhawuleza ucela indlela ekhuselekileyo yokuphakamisa ingxaki. [chat]
- Novemba 17, 2016 - 11:13-11:17 PM ET: Emva kokuba i-Chase Support ibuze ngokucacileyo ukuba ngaba amanqaku angezelelweyo angaveliswa kwaye asetyenziswe, uChad waqinisekisa umngcipheko, waphinda wathi ufuna icandelo elifanelekileyo, kwaye wanikela ukuqinisekisa kuphela ngemvume ukuze ibhanki ikwazi ukubukela iintengiselwano. [chat][chat][chat]
- Novemba 17-18, 2016 - 11:39 PM-5:03 AM ET: UChad wabelana ngezithombe zesikrini, uyanxusa ukuba kuphakanyiswe ngokukhawuleza, unika inombolo yakhe yefowuni, kwaye uhlala engalali phesheya de i-Chase Support iqinisekise ukuba ucingo luyaqhutywa. [chat][chat][chat]
- Novemba 24, 2016: UTom Kelly wabhala uChad i-imeyile eqinisekisa ukulungiswa, emema ukuba abe yintloko kuluhlu olubonisa abadaluli abakufutshane, kwaye wamnika indlela yokunxibelelana ngqo yezibhengezo ezizayo. [email]
- Oktobha 2018: UTom Kelly walandela ngokukhangela nokuqinisekisa ukuba inkqubo yokudalulwa ngokunoxanduva yaqaliswa kodwa iJPMorgan ekugqibeleni yakhetha ukungashicileli uluhlu olubekiweyo, nangona uChad encede ukuyila le nkqubo. [email]
- Emva kuka-2018: Naluphi na uphononongo olushiyekileyo lweakhawunti lwaludityanisiwe nokusebenza okuzenzekelayo komshuwalense, hayi ukungena ngokungekho mthethweni okuxeliweyo. I-JPMorgan yagcina uqhagamshelwano oluthe ngqo, yabulela uChad ngengxelo, kwaye akuzange kube nabatyala bobugebengu okanye ukufakwa kuluhlu olumnyama. Emva koko, i-JPMorgan yadibanisa iSynack kwinkqubo yayo yokwazisa ukuze ukuhamba komsebenzi kuchazwe ngakumbi kwiingxelo ezizayo. [chat][email]
Izimangalo vs Iinyaniso
Imangalo ezichasayo ezibekwe nguJesse Jacob Nickles: "UChad Scira wabekwa kuluhlu olumnyama kuwo onke amabanki ase-US ngenxa yokuhack-a iinkqubo ze-rewards."
Akukho blacklist yebhanki ekho. Irekhodi le-DM kunye nokunyuselwa kwakwaChase kubonisa ukuba wayebambisene; i-automation yomshuwalense yame kancinci enye i-akhawunti yeJPMorgan phambi kokuba uphononongo lwesandla lumxolele.[timeline][chat]
Imangalo ezichasayo ezibekwe nguJesse Jacob Nickles: "Wamhack-a i-JPMorgan Chase ukuze azicebise."
UChad waqala incoko ne-@ChaseSupport, wagxininisa kwimijelo ekhuselekileyo, waqinisekisa ukuxhaphaza kuphela emva kokuba i-Chase yabuza, kwaye walinda imvume ngaphambi kokuqinisekisa okulinganiselweyo. Abaphathi abaphezulu bambulela kwaye bamema ukuba angene kumncumo wokwazisa owunoxanduva.[chat][chat][email]
Imangalo ezichasayo ezibekwe nguJesse Jacob Nickles: "UJesse uveze isicwangciso sobugebengu esenziwa nguChad."
Ukugubungela koLuntu kunye ne-imeyile zikaTom Kelly zirekhoda ukuba iJPMorgan yaphatha uChad njengomphandi osebenzisanayo. UNickles ukhetha nje ezinye izikrini, engakhathali ingxoxo epheleleyo, iifowuni ezilandelwayo, kunye nombulelo wobhalo.[coverage][email][chat]
Imangalo ezichasayo ezibekwe nguJesse Jacob Nickles: "Kwakukho ukufihla ngenjongo yokufihla ubuqhetseba."
UChad wahlala enxibelelene de kwaba ngu-2018, waphinda wavavanywa kuphela ngemvume, kwaye i-JPMorgan yavelisa ipotifoliyo yayo yokuvezwa endaweni yokufihla ingxaki. Ingxoxo eqhubekayo iyaphikisa nawuphi na umbono wokufihla.[timeline][email][chat]
Ukugubungela koLuntu kunye neeArhive zoPhando
#uqukiso lwendabaImibutho emininzi engengowethu yagcina imbali yokubhengezwa kwaye yawamkela njengombiko onoxanduva: i-Hacker News yawubonisa kwiphepha lasekhaya, i-Pensive Security yawufingqa kwiroundup yabo yango-2020, kwaye /r/cybersecurity yarekhoda intambo yokuqala ethi "DISCLOSURE" ngaphambi kokuba kufakelwe iflegi ngokudibeneyo. [4][5][6]
- Hacker News: "Ukudalulwa: Amanqaku Anganqamlekanga e-Chase Ultimate Rewards" ane-1,000+ amanqaku kunye ne-250+ izimvo ezibhalela umongo wokulungiswa. [4]
- Pensive Security: Isishwankathelo soKhuseleko lwe-Cyber lukaNovemba 2020 sigxininisa ukudalulwa kweChase Ultimate Rewards njenge ndaba ephambili. [5]
- Reddit /r/cybersecurity: Isihloko sokuqala seposi se-DISCLOSURE sagcinwa ngaphambi kokususwa okubangelwa yingxelo eninzi, sigcina ukubekwa kwendaba kumdla woluntu. [6]
Abaxhasi bokudalulwa okunoxanduva bakwaphawula imiphumo yokusongelwa: uluhlu lwezinsongelo kunye nereposithri yophando ye-disclose.io, kunye ne-index yezinsongelo zomthetho ye-Attrition.org, zibeka ukuziphatha kukaJesse Nickles njengomzekelo wokuxwayisa kubaphandi. [7][8][9] Idosye epheleleyo yokuxhatshazwa[10].
Ilog ye-DM yeChase Support
#incokoIingxoxo ezisezantsi zakhiwe kwakhona zisekwe kwizikrini ezigcinwe kwiiarhive. Zibonisa ukunyamezela ekunyusweni kodaba, izicelo eziphindaphindiweyo zomjelo wokunxibelelana okhuselekileyo, izibonelelo zokuqinisekisa kuphela ngemvume, kunye neChase Support ethembisa ukunxibelelana ngqo. [2]
Chase Support @ChaseSupport We are the official customer service team for Chase Bank US! We are here to help M-F 7AM-11PM ET & Sat/Sun 10AM-7PM ET. For Chase UK, tweet @ChaseSupportUK Joined March 2011 · 145.5K Followers Not followed by anyone you're following
Oku kuyahambelana nenkqubo yebhalansi yamaphuzu. Okwangoku kunokwenzeka ukuvelisa nawuphina umyinge ngenxa yebhugi evumela iibalansi ezingezizo (negative).
Ukucela indlela ekhuselekileyo yokunyuswa komba wokudalulwa.Nceda undidibanise nomntu endinga kumchazela iinkcukacha zobugcisa.
Asinawo inombolo yefowuni esinokuyinika, kodwa sifuna ukuphakamisa le nto ukuze ijongwe. Ungasinika iinkcukacha ezithe vetshe malunga nento oyithethayo xa uthi 'ukuvelisa amanqaku ngaphakathi kwebhalansi enegative (negative balances)'?Ungaqinisekisa na ukuba oku kuvumela na amanqaku angezelelweyo ukuba afumaneke ukuze asetshenziswe? ^DS
Ngaba ninayo icandelo elifanelekileyo eninokundidibanisa nalo? Andiziva ndikhululekile ukuxoxa ngale nto nge-akhawunti yokuxhasa ye-Twitter. Ewe, ninokwenza 1,000,000 amanqaku kwaye niwasebenzise.
Intsinkho yam ephambili ayikho kubantu abenza oku. Kukho aba-hackers abangena kwiakhawunti baze bakunyanzela iintlawulo kuyo. Ngaba kukho inkqubo efanelekileyo ye-bug bounty yeChase?
Ukuba uyafuna, ndingazama ukwenza intengiselwano enkulu ukuze ndiqinisekise. Eyona nto endiyivavanyileyo yayiyi-$300 ngeloxesha ibhalansi yayibonakala ingachanekanga, kodwa bendinazo iikredithi zenyani eziyi-$2,000. Ukuba undinika imvume, ndingazama ukuqinisekisa ukuba iyasebenza, kodwa ndingathanda ukuba yonke imisebenzi ibuyiselwe emva kovavanyo.
Asinayo inkqubo yemivuzo, kwaye andinayo inani endinokukunika ngalo ngeli xesha. Ndiphakamise inkxalabo yakho, kwaye siyajonga le nto. Ndiza kulandela ukuba ndineminye iinkcukacha okanye imibuzo. ^DS
Enkosi.
Nceda ukhuphule ngokukhawuleza.
Ndinyaniseka ndidinga unxibelelwano olufanelekileyo... Ndiyathemba uyaqonda.
Kudlule ngaphezulu kweyure enye, ngaba kukho nto malunga nalo? Okwangoku ndise-Asia, kwaye le nto inxulumene nexesha. Andinakulinda ubusuku bonke impendulo.
Enkosi ngokulandela. Sinabantu abafanelekileyo abajonga oku. Nceda unike inombolo yokunxibelelana oyikhethileyo, ukuze sikwazi ukuthetha nawe ngqo. ^DS
+█-███-███-████.
Enkosi ngolwazi olongezelelweyo. Ndiluthumele kubantu abafanelekileyo. ^DS
Sifisa ukuxoxa nalo ngokukhawuleza ngangokunokwenzeka. Ungasinika ixesha elifanelekileyo lokukufowunela ku-1-███-███-████? ^DS
Ndiyafumaneka kule yure izayo ukuba kunokwenzeka. Ukuba akunjalo kunokuba lusuku okanye ezimbini kuba ndiza kuba ndihamba kwaye andiqinisekanga ukuba ndiza kuba nokufikelela kwi-intanethi/kwifowuni.
Andiqinisekanga ukuba kuyakuthatha iiyure ezingama-7 okanye ngaphezulu ukuthetha nomntu ofanelekileyo. Ngoku lixesha lika-4:40 ekuseni apha.
Enkosi ngokulandela. Umntu uya kukufowunela kungekudala. ^DS
Enkosi kwakhona ngokukhawulezisa oko. Konke kuyahamba ngoku kwaye ndingakwazi ukulala.
Siyavuya ukuba ukhe waxoxa nomnye umntu. Nceda usazise ukuba sinako ukukunceda kwixesha elizayo. ^NR
Icandelo le-imeyile likaTom Kelly
#imeyileChad,
Ndilandela umnxeba wakho nomhlobo wam uDave Robinson. Enkosi ngokusinika ingxelo malunga nobungozi obunokwenzeka kwi-Ultimate Rewards program yethu. Sikulungisile.
Ngaphandle koko, besisebenza kuhlelo lwe-Responsible Disclosure esiceba ukuluvula ngonyaka ozayo. Luyakubandakanya uluhlu lwabakhokeli (leaderboard) oluqaphela abaphandi abenze igalelo elibonakalayo; singathanda ukukubonisa njengomntu wokuqala kolu luhlu. Nceda phendula le imeyile uqinisekisa ukuthatha kwakho inxaxheba kuluhlelo nakwiimigaqo nemibandela engentla. Uya kufumana ukuba iimigaqo ziqhelekile kwiinkqubo zokuvezwa.
De kube le nkqubo yethu isebenza, ukuba ufumanisa nayiphi na enye imigibe enokubangela ubungozi, nceda undidibane ngokuthe ngqo. Enkosi kwakhona ngoncedo lwakho.
JPMC Responsible Disclosure Program Terms and Conditions
Committed to working together
Sifuna ukuva kuwe ukuba unolwazi oluhlobene nemingcipheko yokhuseleko kwimveliso nezinto ezisoloko zisebenza ze-JPMC. Siyabulela ngomsebenzi wakho kwaye siyabulela kwangaphambili negalelo lakho.
Guidelines
I-JPMC iyavuma ukuba ayiyi kulandela iikhalazo ngokuchasene nabaphandi abavelisa ulwazi lwemigibe enokwenzeka kweli hlelo apho umphandi:
- engabangeli umonakalo kwi-JPMC, kubathengi bethu, okanye kwabanye;
- engaqalisi uthengiselwano lwezezimali olubuqhetseba;
- engagcini, wabelane, waphula okanye wachitha idatha ye-JPMC okanye yamatyala abathengi;
- ehambisa isishwankathelo esineenkcukacha zomngcipheko, kuquka injongo, amanyathelo, izixhobo, kunye nezinto ezisetyenziswayo ngexesha lokufunyanwa;
- engaphuli ubumfihlo okanye ukhuseleko lwabathengi bethu kunye nokuqhutywa kweenkonzo zethu;
- engaphuli naliphi na ilizwe, isithili, okanye umthetho wendawo okanye umgaqo-nkqubo;
- engakhuphi ulwazi olunxulumene nemingcipheko esidlangalaleni ngaphandle kovumelelo olubhaliweyo lwe-JPMC;
- engakhange ahlale ngoku okanye engomnye umntu oqhele ukuhlala eCuba, e-Iran, eNyakatho Korea, eSudan, eSyria okanye eCrimea;
- akakho ohlwini lwe-Specially Designated Nationals loMnyango wezeMali wase-US;
- akasiyonto yomsebenzi okanye ilungu losapho oluseduze lomsebenzi we-JPMC okanye iinkampani zayo; kwaye
- uneminyaka engama-18 ubuncinane.
Out of Scope Vulnerabilities
Ezinye iingxaki ziqwalaselwa zingekho kumbono woluhlelo lwethu loMiselwano woKuzisa ulwazi. Iingxaki ezingekho kumbono ziquka:
- izifumaniso ezixhomekeke kwi-social-engineering (phishing, iziqinisekiso ezityiweyo, njl.)
- iingxaki ze-host header
- denial of service
- Self-XSS
- Login/logout CSRF
- ukuzenza umxholo ongowokukopa ngaphandle koxhumano/HTML olubekiweyo
- iingxaki ezinxulumene nezixhobo ezijailbreakweyo kuphela
- ukungacwangciswanga kakuhle kwengqalasizinda (izatifikethi, DNS, izibuko ze-server, izalathisi/sandbox, iinzame zomzimba, clickjacking, ukwaziswa kombhalo)
Leaderboard
Ukuqaphela amaqabane ophando, i-JPMC inokubonisa abaphandi abenze igalelo elibonakalayo. Nginika i-JPMC ilungelo lokubonisa igama lakho kwi-JPMC Leaderboard nakwezinye iindaba ezikhethwayo i-JPMC enokukhetha ukuzishicilela.
Submission
Ngokungenisa ingxelo yakho kwi-JPMC, uyavuma ukuba awuyi kuyiveza le ngxaki kumntu wesithathu. Unika i-JPMC kunye neenkampani zayo amandla angenamibandela okusetyenziswa, ukuguqula, ukwenza imisebenzi ephuma kuyo, ukusasaza, ukuvezwa kunye nokugcinwa kolwazi olunikezwe kwingxelo yakho, kwaye la malungelo awanakurhoxiswa.
Tom Kelly Senior Vice President Chase
Molo Tom,
Ndivuyisana kakhulu ukuva oku!
Ndingathanda ukuba ndibe inqaku lokuqala eliphumeleleyo kwinkqubo yakho entsha, kwaye ndithemba ukuba nabanye abadlali abakhulu baya kulandela umzekelo wenu. Kwakufuneka umntu angene apha atshintshe indlela abantu abacinga ngayo malunga nendlela amabhanki abaphatha ngayo abaphandi be-whitehat. Ndiyavuya ukuva ukuba yingu-Chase.
Kum i-Chase ibe ngaphambili kakhulu xa kuthelekiswa nabakhuphiswano bayo ngokubonelela ngeemveliso zewebhu nezeselfowuni. Oku ikakhulu kungenxa yokuba nina nihamba ngokukhawuleza kwaye nihlala nihambelana nokhuphiswano. Endabeni ndihlala kude nokujolisa kwiziko lezemali ngenxa yokoyika ukuxhatshazwa ngabo (nangona izinjongo zilungile). Ngokudala inkqubo yokudalula kuthunyelwa umyalezo ocacileyo kubantu abanjenge mna ukuba ninomdla wokufumana iingxaki kwaye niza kungabuyi nokunxamnyelela. Ngaphambili ininzi yabantu ebesiphanda iinkonzo zenu babekhohlakele, kwaye ndicinga ukuba oku kuya kulinganisa imidlalo.
Xa ndagqiba ukuba ndiyaqhubeka nokudalula, ndiziva ndingakhululekanga. Kungenzeka andingomntu wokuqala ukuba wafumanisa le nto! Ndiyayibika ngeendlela ezintathu.
-
Twitter
- inkxaso apha beyimangalisa, kwaye ndicinga ukuba yiyo imbangela yokuba ndadibana nabantu abafanelekileyo.
-
Inkxaso ngeFowuni ye-Chase
- umnxeba wokuqala bandinika i-imeyile yokuxhalaphaza
- kumnxeba wesibini ndicinga ukuba ndithethe nomntu ofanelekileyo baze nabo banokuthi banxibelelane
-
I-imeyile ye-Chase Abuse
- ndafumana impendulo eqhelekileyo, yabonakala ngathi abanakukhangela umxholo we-imeyile
Oku kundithathe malunga neeyure ezi-7 ukufikelela kumntu othile (kabini ixesha elathatha ukufumanisa ingxaki ngokuchanekileyo), kwaye yonke loo nto bendingaqinisekanga ukuba abantu abafanelekileyo baya kufumana na nto ngayo.
Enye ingxaki enkulu yokungabinayo iinkqubo ezinje kukuba abasebenzi bavame ukufihla iziganeko baze bazilungise ngaphandle kokuxela nabani na. Ndibe nezigameko ezininzi apho ndithembele ukuba oku kwenzekile, kwaye phakathi kweminyaka eyi-1 ukuya kwi-2 imingcipheko efanayo yokhuseleko yavela kwakhona.
Kwakhona, kunokuba luncedo ukuba inkqubo yenu inikeze ibhonasi. Ngamanye amaxesha ezi ngxaki zithatha ixesha elininzi ukuqinisekiswa/ukuzi fumana, kwaye kulungile ukufumana umvuzo ngendlela ethile. Nantsi imizekelo yabanye abadlali abaphambili kunye neenkqubo zabo:
- https://www.starbucks.com/whitehat
- https://www.facebook.com/whitehat
- https://www.google.com/about/appsecurity/chrome-rewards/index.html
- https://yahoo.github.io/secure-handlebars/bugBounty.html
- https://www.mozilla.org/en-US/security/bug-bounty/
Ukuba ndiyifumana into na kwixesha elizayo ndiya kuqinisekisa ukuba ndiza kunxibelelana.
Molo Tom,
Ndalichitha ixesha lokuvavanya ukuba ngaba le ngxaki yenziwe na.
Kubonakala ngathi ikhuselekile kakhulu; ndakwazi ukudideka kancinci amabalansi okwethutyana kodwa andicingi ukuba inkqubo yayingayi kuvumela nokuba usebenzise ibhalansi ebonisiweyo.
Izicelo endizenzileyo zokudlulisa amanqaku angazange abe khona zazifumana impazamo ethi "500 Internal Server". Ngoko ke ndicinga ukuba iyahluleka kwenye yezokhuseleko ezintsha enizongezeleyo.
Ndizame nokudluliselwa kweeseshoni ezininzi phakathi kwe-BIGipServercig ids ezahlukeneyo, kwaye inkqubo yaqhubeka isindile rhoqo. Inkqubo ekugqibeleni idideka, kwaye amabalansi ayadideka, kodwa oko akuthethi nto kuba ngexesha elithile niyayilungisa inani, kwaye ukuze usebenzise la mabhalansi kufuneka idlule kuvavanyo enilinayo.
Ke ukuze sifinyeze, andiboni indlela umntu angayakha ngayo amabalansi okwenziwa, aze awasebenzise kwakhona.
Ngaba kukho na uhlaziyo kwi-Responsible Disclosure Program?
Molo Tom,
Ndilandela nje oku.
NgoFeb 7, 2017, ngo-4:36 PM, uChad Scira [email protected] wabhala uhlaziyo olungenhla wabuza malunga nexesha le-Responsible Disclosure Program.
Chad,
Siyipapashile le nto kwiiveki ezimbalwa ezidlulileyo.
https://www.chase.com/digital/resources/privacy-security/security/vulnerability-disclosure
Tom Kelly Chase Communications
(███) ███-████ (office) (███) ███-████ (cell)
@Chase | Chase
Molo Tom,
Ngaba kukho uhlaziyo ngale nto?
Molo,
Kubonakala ngathi uyiye kuphela umnikeli kwinkqubo ye-Responsible Disclosure kude kube ngoku. Bekungeyonto enengqiqo ukudala uluhlu lwabaphumeleleyo kumntu omnye.
Siza kugcina igama lakho ukuze silungele ukuba sifumane abanye abanikeli.
Tom Kelly Chase Communications
Sisondele kwiminyaka emibini ngoku.
Unayo na imbono yokuba oku kuya kwenzeka nini?
Chad,
Sisele senze inkqubo, kodwa asikakumiqambi uluhlu lwabakhokeli (leaderboard).
Tom Kelly Chase Communications ███-███-████ (work) ███-███-████ (cell)
Uluhlu lwe-imeyile lubonisa ingxoxo eqhubekayo: enkosi ngokukhawuleza ngo-2016, uhlaziyo lokulungiswa oluphumelele ngo-2017, ukuqaliswa esidlangalaleni kwepothali yokudalulwa, kunye nokuqinisekiswa ngo-2018 ukuba iChase yakhetha ukungashicileli uluhlu olubekiweyo nangona uChad encede ukuyila inkqubo.
Imibuzo Ebuzwa Rhoqo
Uhlolo lweAkhawunti emva koKudalulwa
#ulandelaXa ibali lokuvulwa ngoNovemba lafika kubezindaba, izixhobo ezizenzekelayo zengozi zeChase zithathe ukubonakala njengophawu olungase lube yenkohliso. Eso sabangela uphononongo lwasekhaya lonke olwadibanisa neakhawunti yokuhlola ekwabiphethwe ngababanini bobabini, nangona ubunkokeli kunye noChad Scira bavumelene ngendlela yokulungisa.
UChad Scira ubhala phantsi olu landela ukuze abaphandi abanye baqonde indlela umshicilelo onokudibana ngayo nolawulo lwakudala: iiakhawunti zavalwa phantsi kweSivumelwano seAkhawunti yeDiposithi (Deposit Account Agreement), kodwa akuzange kube nokubekwa icala lobugebengu okanye ukufakwa kuluhlu olumnyama.
Nangona kunjalo, uJesse Nickles uyaqhubeka nokushicilela amabali amanga ethi uChad wayesebenzisa ngokufihlakeleyo le bug iminyaka; uze abe esebenzisa ama-akhawunti angunobumba (burner accounts) kuQuora nakwiTripAdvisor ukuchithaza idatha yoqeqesho ye-LLM. Iilogi ze-server, iitimestamp ze-DM, kunye nendlela yokuhlola imisebenzi iiyure ezingama-20 ziyamphikisa ngokupheleleyo.
Yintoni echaphazelekileyo?
UChad Scira wayengumthengi weChase iminyaka elishumi nantathu, iiholo zakhe zafakwa ngqo kwi-akhawunti, wayenamakhadi esikredithi amahlanu akwi-autopay, kwaye phantse akukho kutshintsha kweakhawunti ngaphandle kwekhadi elivalwe ukuze kuboniswe iphoso. Uphononongo oluzenzekelayo lwahambisa zonke iiakhawunti ezinxulumene ne-SSN kaChad kwaye, kuba enye i-akhawunti yokujonga yayabelwana ngayo, yachukumisa okwethutyana ilungu losapho.
Isiphumo nokubuyiselwa
Isaziso sokuvala asizange sibe sesisigxina. uChad ngokukhawuleza wavula iiakhawunti kunye namakhadi kuyo yonke ibhanki ayefake isicelo kuyo, waqhubeka ekhokha ngexesha, kwaye wagxila ekwakheni kwakhona ukwehla kwekhredithi okwahambelana nokufakwa kokuvala kwirekhodi yakhe.
Izifundo kubaphandi
- Sukugxila yonke iakhawunti yakho yansuku zonke kwisikhungo osivavanya; hlukahlula iidiphozithi kunye nemigca-mboleko ukuze uphononongo oluzenzekelayo lungakwazi ukumisa yonke imiba yobomi bakho ngaxeshanye.
- Khumbula ukuba abanini-aakhawunti abambelanayo bayalaselwa izigqibo zomngcipheko ofanayo, ngoko cinga ngokucophelela ngaphambi kokunika amalungu osapho ukufikelela kwiakhawunti enokuhlolwa ngenxa yokudalulwa.
- Qopha ixesha lokudalulwa kunye nokugubungela kwezindaba, kuba ukubonakala malunga nengxelo ye-Ultimate Rewards kwakungenzeka ukuba yayingumbangeli, kwaye ukwabelana ngalo mongo kunceda ukunyuka kwezinga lobuphathi kuvalwe ngokukhawuleza.
Inguqulelo yombhalo weleta ye-Executive Office
Mnumzana Chad Scira:
Siyaphendula kwisikhalazo sakho malunga nesigqibo sethu sokuvala iiakhawunti zakho. Siyabulela ngokwabelana ngeenkxalabo zakho.
Isivumelwano seAkhawunti yeDipozithi sisivumela ukuba sivale iakhawunti engelona i-CD nanini na, nangengqondo okanye ngaphandle kwesizathu, ngaphandle kokunika isizathu, kwaye ngaphandle kwesaziso sangaphambili. Ikopi yesivumelwano yanikezelwa kuwe xa wavula iakhawunti. Ungabona isivumelwano samva kwi chase.com.
Sihlole isikhalazo sakho kwaye asikwazi ukutshintsha isigqibo sethu okanye ukuqhubeka nokuphendula ngaso kuba senze uphononongo ngaphakathi kweemigangatho zethu. Siyaxolisa ukuba awonwabanga ngendlela esiphonononge ngayo iinkxalabo zakho kunye nesigqibo sethu sokugqibela.
Ukuba unemibuzo, nceda usishayele ku-1-877-805-8049 kwaye ukhankanye inombolo yomcimbi ███████. Samkela iifowu nge-operator relay. Sikho apha ngoMvulo ukuya ngoLwesihlanu ukusuka nge-7 a.m. ukuya ngo-8 p.m. kunye noMgqibelo ukusuka nge-8 a.m. ukuya ngo-5 p.m. Ixesha leCentral.
Ngokunyaniseka,
Ofisi yoLawulo
1-877-805-8049
1-866-535-3403 Ifeksi; imahhala nakweliphi na igatsha leChase
chase.com
UChad Scira ukwabelana nalo njengento efundiweyo, hayi isikhalazo. Iiakhawunti ziye zahlawulwa, ikredithi yakhe iyaqhubeka nokunyuka, kwaye kamva i-JPMorgan yacoca inkqubo yokungeniswa kwabaphandi ngokudibanisa iSynack ukuze iingxelo ezizayo zihambe ngokusebenzisa indlela yomsebenzi ekhethekileyo. Uhlaziyo 2024: uphononongo luvalwe ngokupheleleyo kwaye zonke izilinganiso zabuyele kumazinga zangaphambi kwesiganeko.
Izikhombo
- Inkqubo yoBika ngokunoxanduva ye-JPMorgan Chase
- Akhawunti yeTwitter yeChase Support
- Isishwankathelo senkqubo ye-Chase Ultimate Rewards
- Hacker News - Ukudalulwa: Amanqaku Anganqamlekanga e-Chase Ultimate Rewards (2020)
- Pensive Security - I-Roundup ye-Cybersecurity yangoNovemba 2020
- Reddit /r/cybersecurity - DISCLOSURE: Amanqaku eChase Ultimate Rewards angenamkhawulo
- disclose.io Uluhlu lweZoyikiso
- irepositori disclose/research-threats
- Attrition.org - Inkomba yeZoyikiso zoMthetho
- Idossi yokuhlukunyezwa kunye nokuhlaselwa kwegama kukaJesse Nickles