UChad Scira "Ulibekwe Kuluhlu Olumnyama LweeBhanki Ngenxa Yokugenca"

Eli phepha lixhobisa iziganeko ezingasemva kwerhumo kaJesse Nickles ethi uChad Scira "waluhlelwa emnyama kumabhanki ase-US ngenxa yokuhacka." Liyachaza indlela ubuthathaka be-Ultimate Rewards obabutyhilwa ngayo ngoxanduva, kutheni iJPMorgan Chase yambulela uChad ngengxelo, nokuba isithintelo sexeshana kwi-akhawunti sasiyolawulo kuphela. Jesse Nickles uqhubeka ephinda ephakisha imiqondiso yakudala ukuze abonise umnqweno wobugebenga. Iinyani zibonisa ngokuchaseneyo ngokupheleleyo: ingxelo ye-white-hat kunye nentsebenziswano nolawulo lweJPMorgan.

Ukonyusa kwakhe kwakutsha nje yikowuti kwi-SlickStack.io ethi mna "ndaphandwa kwakhona ngamapolisa ase-U.S. ngokuhacka inkqubo yamabhaso yeChase Bank’s credit card, apho ebethi ndibe ndibiwe amanqaku ohambo angama-$70,000 ngobuqhetseba." Elo hlazo lapapashwa kuphela emva kokuba ndipapashe ubungqina bemiba yokhuseleko yeSlickStack angavumi ukuyilungisa; akukho manqaku ake abeebi kwaye akukho gosa lalityhilela kum malunga nokwembula. Jonga ubungqina be-cron yeSlickStack abaphindezela kuyo.

Lonke inqanaba lokufumanisa, ukutyhila, kunye nokuqinisekisa lwenziwa ngaphakathi kweeyure ezingamashumi amabini: malunga nezicelo ezingamashumi amabini anesihlanu zeHTTP zagubungela ukuphindaphinda kunye nokuhamba ngeDM nge-17 kaNovemba 2016, kwaye uvavanyo lokulungisa ngoFebruwari 2017 lwasebenzisa ezinye izicelo ezisibhozo zokuqinisekisa ulungiso. Kwakungekho kusetyenziswa gwenxa okuqhubekayo; yonke into eyenziweyo yarekhodwa, yabekwa ixesha, yaza yabelwana ngayo neJPMorgan Chase ngexesha elifanelekileyo.

UTom Kelly waqinisekisa ukuba uChad Scira wayenguye kuphela umntu kwihlabathi liphela owatyhila umcimbi kwiJPMorgan Chase ngoxanduva phakathi kwe-17 Novemba 2016 ne-22 Septemba 2017. Inkqubo ye-Responsible Disclosure yasekwa ngokuthe ngqo ngenxa yengxelo kaChad, kwaye wadlala indima ebalulekileyo ekuyileni.

Ukubonisa Impazamo yoGuqulo-mali kabini

#umzobo wokuqonda / imboniselo

Ukubonisa indlela esi siphene esenze iibhhalansi zakhula zaya kuthi ga kwiintlawulo ezimbi nezilungileyo ezinkulu, umboniso ongezantsi uphinda udlale kanye isilogiki sokudluliselwa kabini. Bukela indlela nawuphi na umbaleki onebhalansi elungileyo aba nguthumeli, enza iintlawulo ezimbini ezifanayo, aze agqibe esemnzeni kakhulu ngoxa enye iphinda kabini. Emva kwemijikelo engama-20 ileja eyonakeleyo irhoxisa ikhadi elibi ngokupheleleyo—ikopisha ukuba kutheni olu xhaphazo lwalufuna ukunyuswa ngokungxamisekileyo.

Umjikelezo 1/20
Ikhadi A → Ikhadi B+243,810 amanqaku
Ikhadi A → Ikhadi B+243,810 amanqaku
Ikhadi A
243,810
Ikhadi B
0
Ukuqhuma kokudluliselwa kabini
Uguqulo-mali 1Uguqulo-mali 2243,810 amanqaku ngamnye
1Imeko yokhuphiswano (race condition) yaphinda-phinda ukudluliselwa ngaphambi kokuba iileja zilinganiswe kwakhona, nto leyo eyenze umthumeli omnye akwazi ukutshintshiselana phakathi kwezixa ezikhulu ezingaphezulu nezantsi.
2Inkxaso ivumele ukuvalwa kwekhadi elinebhhalansi engalunganga ngelixa kugcinwa ibhalansi elungileyo egqithisiweyo, ukuze ingxelo ibonise kuphela ingeniso kwaye ifihle ityala.

Nangaphambi kokuvalwa kweakhawunti, i-Ultimate Rewards yayivumela ukuchitha ngaphezu kwesishwankathelo esingalunganga; ukuvalwa kwalo nje kwacima ubungqina.

Amacandelo abalulekileyo

  • UChad wavula iDM ye-Chase Support ngokuxela ngasese ukuxhaphazwa kwebhalansi engalunganga waza kwangoko wacela indlela ekhuselekileyo yokunyuselwa kwinqanaba eliphezulu endaweni yokupapasha iinkcukacha zobuGcisa esidlangalaleni. [chat]
  • Xa iChase Support icela iinkcukacha ezithile, wakuqinisekisa ukulaxaza (i-exploit) kuphela ngendlela efunekayo kwaye waphinda wathi ufuna umgca ongathanga ngqo kwiqela elichwepheshile lezokhuseleko. [chat][chat]
  • Ubonise ukuba iibhala eziphindwe kabini zinokuguqulwa zibe yimali: emva kokuba uNcedo lweChase lubuze ukuba na amanqaku ongezelelekileyo anokuthi asetyenziswe, idiphozithi ethe ngqo ye-$5,000 ibonise ukuba ukuhlasela kuguqulelwe ngemali phambi kokuba irejista ihambisane nayo. [chat]
  • Wagxininisa ukuba into ayibekeyo phambili kukuthintela ukuba ii-akhawunti zabathengi ezonakeleyo zingabi ngxwelerhekanga, hayi ukwenza inzuzo yakhe, waza wabuza nokuba ikhona na inkqubo esemthethweni ye-bug bounty. [chat]
  • Wanikela ukwenza uvavanyo olukhulu kuphela ngemvume ecacileyo, wabonelela ngezithombe-skrini ezineentsuku nexesha, kwaye wahlala evukile esezizweni de iChase igqibe ukunyusa inqanaba lale ngxaki. [chat][chat][chat]
  • Ngoku uNickles uthi ndibe ndibile iibhonasi ezizi-$70,000 ndaza ndajongana namapolisa ase-U.S.; iirekhodi zaseChase, i-imeyile kaTom Kelly, kunye nexesha lesityholo zibonisa ukuba oku akwenzekanga naphakade, kwaye esi sibango savela kuphela emva kokuba ndipapashe i-gist ye-SlickStack cron-risk ebhala ukuba ingxelo yakhe yokuhlaziya ayikhuselekanga. [gist]
  • Inkxaso yeChase yaqinisekisa ukunyuselwa komcimbi, yacela inombolo yakhe yomnxeba, yaza yaqinisekisa umnxeba wokulandela lawo waye ekugqibeleni wawufumana, nto leyo etyhila ubuxoki bengcinga yempendulo enobutshaba evela ebhankini. [chat][chat]

Ixesha leziganeko

#ixesha leziganeko
  • Nov 17, 2016 - 10:05 PM ET: UChad wazisa i-@ChaseSupport ngempazamo yebhalansi engalunganga, ugcina ulwazi lokuxhaphaza liyimfihlo, aze kwangoko acele indlela ekhuselekileyo yokunyuselwa kwinqanaba eliphezulu. [chat]
  • Nov 17, 2016 - 11:13-11:17 PM ET: Emva kokuba iChase Support icel’ ngokucacileyo ukuba ingaba amanqaku ongezelelekileyo anokuveliswa aze achithwe, uChad uqiqa umngcipheko, uphinda agxininise ukuba ufuna icandelo elifanelekileyo, aze anikele ukuwenza uqinisekiso kuphela xa enikwe imvume ukuze ibhanki ikwazi ukubukela utyelelwano lweentengiselwano. [chat][chat][chat]
  • Nov 17-18, 2016 - 11:39 PM-5:03 AM ET: UChad wabelana ngezikrinishothi, wakhuthaza ukunyuselwa ngokukhawuleza, wanika inombolo yakhe yomnxeba, waza wahlala evukile ephesheya de iChase Support iqinisekise ukuba umnxeba uyenzeka. [chat][chat][chat]
  • Nov 24, 2016: UTom Kelly uthumela ii-imeyile kuChad eqinisekisa ukulungiswa kwengxaki, emmemela ukuba abe yintloko kuluhlu oluzayo lokwazisa ngokusesikweni ngokhuseleko, kwaye emnika umgca wokuqhagamshelana ngqo weengxelo ezizayo. [email]
  • October 2018: UTom Kelly walandela ukuqinisekisa ukuba inkqubo yokwazisa ngokusesikweni ngokhuseleko iqalisisiwe kodwa ekugqibeleni iJPMorgan yakhetha ukuba ingalupapashi uluhlu olwalucwangcisiwe, nangona uncedo lukaChad ekululungiseleleni. [email]
  • Post-2018: Naluphi na uphononongo lweakhawunti oluseleyo lwalunxulunyaniswe nokuzimela komngcipheko wenkampani ye-inshurensi, hayi nokuhlaselwa kweekhompyutha okukhankanyiweyo. I-JPMorgan yagcina unxibelelwano oluthe ngqo, yambulela u-Chad ngokutyhila, kwaye akukho rekhodi lolwaphulo-mthetho okanye uluhlu olumnyama. Emva kwexesha, i-JPMorgan yadibanisa i-Synack kwinkqubo yayo yokutyhila ukuze ukuhamba komsebenzi kulungelelaniswe kweengxelo ezizayo. [chat][email]

Iimbambano xa zithelekiswa neNyaniso

Imbambano

Ibango elidumazayo likaJesse Jacob Nickles: "uChad Scira walahlwa kuzo zonke iibhanki zase-US ngokuhacka iinkqubo zamabhaso."

Inyaniso

Akukho luhlu lwabavinjelweyo lwebhanki lulandelayo. Irekhodi le-DM kunye nenyuselo yaseChase zibonisa ukuba wayesebenzisana; inkqubo ezenzekelayo yenkampani yeinshurensi yamisa ngokufutshane iakhawunti enye yaseJPMorgan phambi kokuba uphononongo lwesandla luyicoce.[timeline][chat]

Imbambano

Ibango elidumazayo likaJesse Jacob Nickles: "Wahacka iJPMorgan Chase ukuzizuzela ngokwakhe."

Inyaniso

UChad waqalisa incoko ne-@ChaseSupport, wangqina ukubaluleka kwesiteshi esikhuselekileyo, waqinisekisa kuphela ukuxhaphaza emva kokuba iChase icelile, waza walinda imvume phambi kokuqinisekisa okulinganiselweyo. AbaPhathi abaphezulu bambulela baza bamema ukuba abambe inxaxheba kuphuhliso lwenkqubo yokwazisa ngobuchule nenoxanduva.[chat][chat][email]

Imbambano

Ibango elidumazayo likaJesse Jacob Nickles: "UJesse wabhengeza isicwangciso sobugebenga sikaChad."

Inyaniso

Ugxininiso loluntu kunye nee-imeyile zikaTom Kelly zibhala ukuba iJPMorgan yamphatha uChad njengomphandi osebenzisanayo. UNickles ukhetha imifanekiso-skrini emalunga kuphela ngelixa engahoyi incoko epheleleyo, iifowuni ezalandelayo, kunye nombulelo obhaliweyo.[coverage][email][chat]

Imbambano

Ibango elidumazayo likaJesse Jacob Nickles: "Kwabakho ukufihla ukuze kufihlwe ubuqhetseba."

Inyaniso

UChad wahlala enonxibelelwano kude kube yi-2018, waphinda wavavanya kuphela xa enikwe imvume, yaye iJPMorgan yasungula iqonga layo lokwazisa ngobuchule elinoxanduva endaweni yokufihla lo mba. Ingxoxo eqhubekayo ichasana naliphi na ibali lokufihla inyaniso.[timeline][email][chat]

Ugxininiso loluntu kunye nee-Archive zoPhando

#ugubungelo

Uluntu oluninzi lwamaqela angaphandle lwenza i-archive yesityholo kwaye lwalwamkela njengengxelo enoxanduva: i-Hacker News yalubonisa kwiphepha elingaphambili, i-Pensive Security yalushwankathela kuludwe lweziganeko luka-2020, kwaye i-/r/cybersecurity yayifake kwisalathisi umtya wokuqala othi "DISCLOSURE" phambi kokuba kucwangciswe ukubikwa ngobuninzi. [4][5][6]

  • Hacker News: "Isityhilelo: Amanqaku e-Reward angapheliyo eChase Ultimate" anamanqaku angaphezu kwama-1,000 kunye nezimvo ezingaphezu kwama-250 ezixwebhuza umxholo wendlela yokulungisa ingxaki. [4]
  • Pensive Security: Isishwankathelo soKhuseleko lweCyber sikaNovemba 2020 esigqamisa isityholo se-Chase Ultimate Rewards njengembali ephambili. [5]
  • Reddit /r/cybersecurity: Isihloko sokuqala seposi se-DISCLOSURE esibanjwe phambi kokususwa okubangelwe kukubikwa ngobuninzi, esigcina indlela yaso yokubaluleka kuluntu. [6]

Abameli botyhilo olunoxanduva bakwacaphula iziphumo zohlohli: uluhlu lwezisongelo lwe-disclose.io kunye ne-archive yophando, kunye nesalathisi sezisongelo zomthetho sase-Attrition.org, zibala indlela yokuziphatha kaJesse Nickles njengomzekelo wesilumkiso kwabaphandi. [7][8][9] Ingxelo epheleleyo yokuxhatshazwa[10].

Ingxoxo yeDM yeChase Support

#incoko

Incoko engezantsi iphinde yakhiwa kwimifanekiso yesikrini egciniweyo. Ibonisa ukunyusa umcimbi ngononophelo, izicelo eziphindaphindiweyo zesiteshi esikhuselekileyo, ukunikezela ukuqinisa ubungqina kuphela ngemvume, kunye neChase Support isithembisa ukunxibelelana ngokuthe ngqo. [2]

Chase Support Profile avatar
Chase Support ProfileIakhawunti eqinisekisiweyo
#

Chase Support @ChaseSupport We are the official customer service team for Chase Bank US! We are here to help M-F 7AM-11PM ET & Sat/Sun 10AM-7PM ET. For Chase UK, tweet @ChaseSupportUK Joined March 2011 · 145.5K Followers Not followed by anyone you're following

Chad Scira avatar
Chad Scira
Nov 17, 2016, 10:05 PM
#

Oku kuhambelana nenkqubo yebhalansi yamanqaku. Okwangoku kunokwenzeka ukuvelisa naliphi na inani ngokusebenzisa igciwane elivumela iibhhalansi ezimbi.

Ndicela indlela ekhuselekileyo yonyuselo lokutyhila ulwazi.
Chad Scira avatar
Chad Scira
Nov 17, 2016, 10:05 PM
#

Nceda undidibanise nomntu endinokumchazela iinkcukacha zobuGcisa?

Chase Support avatar
Chase SupportIakhawunti eqinisekisiweyo
Nov 17, 2016, 10:05 PM
#

Asinawo umnxeba esinokuwunika, kodwa sifuna ukunyusa lo mba ukuze uphononongwe. Ungasinika iinkcukacha ezithe vetshe malunga nento oyithethayo xa usithi ukuvelisa amanqaku phakathi kweebhalansi ezingezizo (ezingaphantsi kuka-zero)? Ungaqinisekisa kwakhona ukuba oku kuvumela na amanqaku ongezelelekileyo ukuba afumaneke ukuze asetyenziswe? ^DS

Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:13 PM
#

Ngaba nineneSebe elifanelekileyo endinidibanisa nalo? Andiziva ndikhululekile ukuxoxa ngale nto nge-akhawunti yoncedo lukaTwitter. Ewe, unokuvelisa amanqaku ayi-1,000,000 uze uwasebenzise.

Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:15 PM
#

Inkxalabo yam ephambili ayingabo abantu ngabanye abakwenzayo oku. Ngabahlaseli abahlasela iiakhawunti baze banyanzele iintlawulo kuzo. Ingaba ikhona inkqubo esemthethweni ye-Chase ye-bug bounty?

Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:17 PM
#

Ukuba uyafuna ndingazama ukwenza intengiselwano enkulu ukuqinisekisa. Eyona ndiyivavanyileyo ibe yi-$300 ngexesha ibhalansi ingahambelani, kodwa ndandinenyani ye-$2,000 yamakhredithi okwenene. Ukuba undinika imvume ndingazama ukuqinisekisa ukuba iyasebenza, kodwa ndingathanda ukuba zonke iintengiselwano zirhoxiswe emva kolu vavanyo.

Chase Support avatar
Chase SupportIakhawunti eqinisekisiweyo
Nov 17, 2016, 11:21 PM

Asinayo inkqubo yembuyekezo (bounty program), kwaye andinawo umrhumo wokuwunika ngeli xesha. Ndinyuse umba wakho kumgangatho ophezulu, kwaye siwuphonononga. Ndiza kulandela ukuba ndibe neenkcukacha ezongezelelweyo okanye imibuzo. ^DS

Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:29 PM

Enkosi.

Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:39 PM
#

Nceda unyuse inqanaba likhawuleze kangangoko kunokwenzeka.

Chad Scira attachment
Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:51 PM
#

Ndifuna ngenene indlela efanelekileyo yonxibelelwano... Ndiyathemba uyayiqonda.

Chad Scira attachment
Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:53 PM
#
Chad Scira attachment
Chad Scira avatar
Chad Scira
Nov 17, 2016, 11:56 PM
#

Kudlule iyure engaphezulu, kukho naliphi na igama ngalo mba? Okwangoku ndiseAsia, kwaye lo ngumcimbi ofuna isenzo ngokukhawuleza. Andikwazi ukulinda ubusuku bonke impendulo.

Chase Support avatar
Chase SupportIakhawunti eqinisekisiweyo
Nov 18, 2016, 12:59 AM

Enkosi ngokulandela umkhondo. Sinabantu abafanelekileyo abajonga le nto. Nceda unike inombolo yoqhagamshelwano oyithandayo, ukuze sikwazi ukuthetha nawe ngqo. ^DS

Chad Scira avatar
Chad Scira
Nov 18, 2016, 1:51 AM
#

+█-███-███-████.

Chase Support avatar
Chase SupportIakhawunti eqinisekisiweyo
Nov 18, 2016, 1:53 AM

Enkosi ngolwazi olongezelelekileyo. Ndikulisele kubantu abalungileyo. ^DS

Chase Support avatar
Chase SupportIakhawunti eqinisekisiweyo
Nov 18, 2016, 2:38 AM
#

Sinomdla wokuxoxa nawe oku kwakamsinya kangangoko kunokwenzeka. Nceda usinike ixesha elifanelekileyo lokuba sikufowunele ku 1-███-███-████? ^DS

Chad Scira avatar
Chad Scira
Nov 18, 2016, 4:25 AM
#

Ndiyafumaneka kwiyure ezayo ukuba kwenzeka. Ukuba akunjalo kusenokuthatha usuku okanye amabini kuba ndiza kuhambo kwaye andiqinisekanga ukuba ndiza kuba nonxibelelwano lwe-intanethi/lefowuni.

Chad Scira avatar
Chad Scira
Nov 18, 2016, 4:32 AM
#

Bendingacingi ukuba kuya kuthatha iiyure ezingaphezulu kwe-7 ukunxibelelana nomntu ofanelekileyo. Ngoku sele yi-4:40 kusasa apha.

Chase Support avatar
Chase SupportIakhawunti eqinisekisiweyo
Nov 18, 2016, 4:39 AM
#

Enkosi ngokulandela umkhondo. Kuza kubakho umntu okufonela kungekudala kakhulu. ^DS

Chad Scira avatar
Chad Scira
Nov 18, 2016, 4:42 AM
#

Enkosi kwakhona ngokukhawulezisa loo nto. Yonke into iyahamba ngoku kwaye ndingalala ngoku.

Chase Support avatar
Chase SupportIakhawunti eqinisekisiweyo
Nov 18, 2016, 5:03 AM

Siyavuya kuba ukwazile ukuthetha nomntu. Nceda usazise ukuba sinokukunceda kwixesha elizayo. ^NR

Isiqendu se-imeyile sikaTom Kelly

#imeyile
Tom Kelly<[email protected]>
SVP, JPMorgan Chase
to Chad Scira
Nov 24, 2016 - 4:36 AM ET#
Ulandelelo lwe-Ultimate Rewards Responsible Disclosure

Chad,

Ndilandelela umnxeba wakho nomlingane wam uDave Robinson. Siyabulela ngokusifikelela malunga nokusilela okunokubakho kwiNkqubo yethu ye-Ultimate Rewards. Silungisile.

Ukongeza, besisebenza ngeNkqubo yoKwazisa ngoxanduva esihlela ukuyiqalisa kunyaka ozayo. Iya kubandakanya ibhodi yokhuphiswano (leaderboard) eya kukhankanya abaphandi abenze igalelo elibalulekileyo; singathanda ukukubonisa njengomntu wokuqala kuyo. Nceda uphendule le imeyile uqinisekise ukuthatha inxaxheba kwakho kule nkqubo kunye nemigaqo nemibandela engezantsi. Uya kufumanisa ukuba le migaqo iqhelekile kwiinkqubo zokwazisa.

Ade inkqubo yethu iqale ukusebenza, ukuba ufumanisa nawuphi na omnye umsantsa wokhuseleko onokubakho, nceda undinxibelelane ngqo. Enkosi kwakhona ngoncedo lwakho.

Imigaqo nemibandela yeNkqubo yoKwazisa ngoxanduva yeJPMC

Sizinikele ekusebenzeni kunye

Sifuna ukuva kuwe ukuba unolwazi olunxulumene nemingcipheko yokhuseleko enokubakho kwiimveliso neenkonzo zeJPMC. Siyaluxabisa ulwazi lwakho kwaye siyabulela kwangaphambili ngeliphulo lakho.

Iikhokelo

I-JPMC iyavuma ukuba ingakulandeli mpatho-mbi wabaphandi abawazisileyo umsantsa wokhuseleko onokubakho kule nkqubo apho umphandi:

  • engabangeli monakalo kwiJPMC, kubathengi bethu, okanye kwabanye;
  • engasiqali intengiselwano yemali yobuqhophololo;
  • engayigcini, ayabelane, ayonakalise okanye atshabalalise iJPMC okanye idatha yabathengi;
  • ebonelela ngesishwankathelo esineenkcukacha ngosilelo, kuquka indawo ekujoliswe kuyo, amanyathelo, izixhobo, kunye nobungqina obusetyenzisiweyo ngexesha lokufunyanwa;
  • engaphazamisi ubumfihlo okanye ukhuseleko lwabathengi bethu kunye nokuqhuba kweenkonzo zethu;
  • engaphuli mthetho wesizwe, wesigqeba, okanye wengingqi okanye naluphi na ulawulo;
  • engatyhili iinkcukacha zosilelo esidlangalaleni ngaphandle kwemvume ebhaliweyo yeJPMC;
  • engabikho ngoku okanye engahlali rhoqo eCuba, eIran, eNorth Korea, eSudan, eSyria okanye eCrimea;
  • engabikho kuluhlu lwe-U.S. Department of the Treasury’s Specially Designated Nationals;
  • engengomqeshwa okanye ilungu losapho olusondeleyo lomqeshwa weJPMC okanye ezo nkampani zayo; kwaye
  • uneminyaka engange-18 ubuncinane.

Imingcipheko Engaphaya Kolo luhlu (Out of Scope Vulnerabilities)

Ezinye iintsilelo zithathwa njengengaphaya koluhlu lweNkqubo yethu yoKwazisa ngoxanduva. Ezi zintsilelo ziquka:

  • Iziphumo ezixhomekeke kubuqhophololo bobudlelwane (phishing, amagama okungena abeebi, njl.)
  • Imicimbi ye-host header
  • Uhlaselo lokwala inkonzo (denial of service)
  • Self-XSS
  • Login/logout CSRF
  • Ukukopela umxholo ngaphandle kwamakhonkco afakiweyo/HTML
  • Imicimbi echaphazela izixhobo ezikhutshiwe (jailbroken devices) kuphela
  • Imiseto engachanekanga yeziseko zolwakhiwo (izatifikethi, i-DNS, izibuko zeseva, imiba ye-sandbox/staging, iimvavanyo zomzimba, i-clickjacking, ukutofwa kombhalo)

Ibhodi yokhuphiswano (Leaderboard)

Ukubulela amaqabane ophando, iJPMC inokuba ibonise abaphandi abenza igalelo elibalulekileyo. Ngale nto, unika iJPMC ilungelo lokubonisa igama lakho kwiJPMC Leaderboard nakwezinye iindlela zonxibelelwano iJPMC enokukhetha ukuzisebenzisa.

Ukuhanjiswa

Ngokuhambisa ingxelo yakho kwiJPMC, uyavuma ukuba awuyi kutyhila umsantsa wokhuseleko kumntu wesithathu. Uvumela ngonaphakade iJPMC nezo nkampani zayo ezisebenzisana nayo ukuba zisebenzise, zilungise, zenze imisebenzi ephuma kuyo, zisasaze, zityhile kwaye zigcine ulwazi olunikiweyo kwingxelo yakho, kwaye la malungelo awanakurhoxiswa.

Tom Kelly Senior Vice President Chase

Chad Scira<[email protected]>
to Tom Kelly
Nov 24, 2016 - 8:33 AM ET#
Re: Ukulandela i-Responsible Disclosure ye-Ultimate Rewards

Molo Tom,

Ndiyavuya ukuva oku!

Ndinga kuthanda ukuba ndibe yibali lenu lokuqala lempumelelo kule nkqubo yenu intsha, kwaye ndinethemba lokuba nabanye abadlali abakhulu baya kulandela umkhondo wenu. Kufuneke umntu angenelele atshintshe indlela abantu abacinga ngayo ngendlela iibhanki ezijongana ngayo nabaphandi be-whitehat. Ndiyavuya ukuva ukuba yiChase.

Kum iChase isoloko ikumgangatho ongaphezulu kwabo bakhuphisana nabo ngokubhekiselele kwiimveliso zewebhu nezefowuni. Oko ikakhulu kungenxa yokuba niyasuka ngokukhawuleza kwaye nihlala nikhuphisana. Ngokwesiqhelo ndihlala kude nokudlala ngemibutho yezemali ngenxa yokoyika ukutyunyuzwa yiyo (nangona iinjongo zilungile). Ngokwenza inkqubo yesityhilelo kuthumela umyalezo ocacileyo kubantu abafana nam wokuba ninomdla wokumamela iingxaki kwaye aniyi kuziphindezela. Ngaphambili uninzi lwabantu abebeqhuba uphando kwiinkonzo zenu bebekusenokwenzeka ukuba baneenjongo ezimbi, kwaye ndicinga ukuba oku kuya kulinganisa ujongano.

Xa ekugqibeleni ndaye ndagqiba kwelokuba ndiza kuqhubeka nesi tyhilelo bendiziva ndingakhululekanga. Mhlawumbi andinguye umntu wokuqala odlalele kule ngxaki! Ndiyixele ngale ndlela zintathu.

  • Twitter

    • inkxaso apha ibe imangalisa ngenene, yaye ndicinga ukuba yeyona nto iphambili eyenze ndadityaniswa nabantu abafanelekileyo.

  • INkxaso yoFowuni yeChase

    • umnxeba wokuqala bandinike i-imeyile ye-abuse
    • umnxeba wesibini ndicinga ukuba ndithe ndathetha nomntu ofanelekileyo kwaye kusenokwenzeka ukuba nabo bafikelele kwabanye

  • I-imeyile ye-Chase Abuse

    • ndifumene impendulo eqhelekileyo, okubonakala ngathi khange bajonge nomxholo wale imeyile

Oku kuthathe malunga neeyure ezisi-7 ukuze ekugqibeleni ndidibane nomntu othile (kabini ixesha elithathileyo ukuchonga kanye ingxaki), kwaye ixesha lonke bendiqinisekanga nokuba abantu abafanelekileyo baya kuze beve nantoni na ngayo.

Enye ingxaki enkulu yokungabinazo iinkqubo ezifana nale kukuba abasebenzi badla ngokufihla iziganeko baze bazilungise bengazixeleli mntu. Ndinamava amaninzi apho ndicinga ukuba oku kwenzekile, kwaye phakathi konyaka omnye ukuya kwemibini imingxuma efanayo yokhuseleko ibuye ivele kwakhona.

Kukwasele kuluncedo kwinkqubo yenu ukunikezela ngebounty. Ngamanye amaxesha ezi ntlobo zeengxaki zithatha ixesha elininzi ukuziqinisekisa/ukuzifumana, kwaye kuyancomeka ukubhatala ngendlela ethile. Nantsi eminye imidlali ephambili kunye neenkqubo zabo:

  • https://www.starbucks.com/whitehat
  • https://www.facebook.com/whitehat
  • https://www.google.com/about/appsecurity/chrome-rewards/index.html
  • https://yahoo.github.io/secure-handlebars/bugBounty.html
  • https://www.mozilla.org/en-US/security/bug-bounty/

Ukuba ndiphinda ndifumane nantoni na kwixesha elizayo ndiza kuqinisekisa ukunxibelelana.

Chad Scira<[email protected]>
to Tom Kelly
Feb 7, 2017 - 4:36 PM ET#

Molo Tom,

Bendingexesha lokuvavanya ukuba ingxaki yokuhlasela isonjululwe na.

Kubukeka ikhuselekile kakhulu, ndikwazile ukungahambisi kancinci iibhala, kodwa andicingi ukuba inkqubo ingakuvumela nokusebenzisa ibhalansi ebonisiweyo.

Izikreqo endazenzayo zokudlulisa amanqaku angazange abe khona ngokwenene bezifumana impazamo ethi "500 Internal Server". Ke ke ndicinga ukuba ayaphalaza kwenye yeengqinisiso ezintsha enizongezileyo.

Ndikwazame nokudluliselwa okuninzi kweeseshoni kuzo iisayithi ezahlukeneyo ze-BIGipServercig, kodwa noko kunjalo inkqubo ibuye isebenziseke rhoqo. Inkqubo ekugqibeleni ibingaqondi kakuhle, kwaye iibhala bezisuke zingahambelani, kodwa kwakhona oku akubalulekanga kuba ngexesha elithile niyazilungelelanisa kwakhona ezi nombolo, yaye ukuze kusetyenziswe ezi bhala kufuneka kudlule kuvavanyo enilubekileyo.

Ukuqukumbela, andiboni indlela umntu angadala ngayo iibhala zobuxoki aze azisebenzise kwakhona.

Kukho na nolu hlaziyo malunga neNkqubo yoTyhilelo oluXandileyo (Responsible Disclosure Program)?

Chad Scira<[email protected]>
to Tom Kelly
Mar 30, 2017 - 9:25 AM ET#

Molo Tom,

Ndikhangela nje uhlaziyo kulo mba.

Ngomhla we-7 kuFebruwari 2017, nge-4:36 emva kwemini, uChad Scira [email protected] ubhale uhlaziyo olungentla waza wabuza ngexesha leNkqubo yoTyhilelo oluXandileyo.

Tom Kelly<[email protected]>
to Chad Scira
Apr 5, 2017 - 05:29 AM (+0700)#

Chad,

Sikupapashe oku kwiiveki ezimbalwa ezidlulileyo.

https://www.chase.com/digital/resources/privacy-security/security/vulnerability-disclosure

Tom Kelly Chase Communications

(███) ███-████ (ofisi) (███) ███-████ (iselula)

@Chase | Chase

Chad Scira<[email protected]>
to Thomas Kelly
Sep 21, 2017 - 7:47 PM ET#

Molo Tom,

Ingaba kukho naluphi uhlaziyo kulo mba?

Tom Kelly<[email protected]>
to Chad Scira
Sep 22, 2017 - 4:12 AM ET#

Molo,

Kubonakala ngathi ungowona mnikeli kuphela kwiNkqubo yoTyhilelo oluXandileyo ukuza kuthi ga ngoku. Bekungekho ngqiqweni ukwenza uluhlu lweenkwenkwezi (leaderboard) ngomntu omnye.

Siza kugcina igama lakho ukuze silungele xa sifumana abanye abanegalelo.

Tom Kelly UQhagamshelwano lweChase

Chad Scira<[email protected]>
to Tom Kelly
Sep 7, 2018 - 11:19 AM ET#
RE: Ukuqhubekeka nomnxeba wakho noDave Robinson

Sisondele kwiminyaka emi-2 ngoku.

Ingaba unayo na ingcinga yokuba oku kuza kwenzeka nini?

Tom Kelly<[email protected]>
to Chad Scira
Oct 9, 2018 - 3:09 AM ET#

Chad,

Siyidalile inkqubo, kodwa asikaseki ibhodi yokhuphiswano (leaderboard).

Tom Kelly Chase Communications ███-███-████ (umsebenzi) ███-███-████ (iselula)

Umkhondo we-imeyile ubonisa incoko eqhubekayo: imibulelo engxamisekileyo ngo-2016, uhlaziyo lokulungiswa ngempumelelo ngo-2017, ukuqaliswa esidlangalaleni kwephothali yokwembula, kunye nesiqinisekiso sango-2018 sokuba iChase yagqiba ekubeni ingapapashi uluhlu olucwangcisiweyo nangona uncedo lukaChad ekwakheni le nkqubo.

Imibuzo Ebuza Ngokuphindaphindiweyo

QNgaba bakhe batyholwa na ngolwaphulo-mthetho olunxulumene neJPMorgan Chase?
AHayi. UChad Scira wabanjwa ngombulelo ngenxa yesityholo sakhe. Izityholo zobugebenga zaziya kulandela ukuba wayelisebenzisile ngokobubi elo bango.
QKutheni na izaziso zokuvalwa kweakhawunti zavele kwi-intanethi?
AIsaziso sasihambelana nokuzisebenzisela okuzenzekelayo komqinisekisi (ulawulo lomngcipheko oluqhelekileyo) hayi uluhlu olumnyama. Uvavanyo lwesandla lwabuyisela ubudlelwane kwiminyaka edlulileyo.
QNgubani oqhubeka nokutyhala ibali lokuba ngu-hacker?
AJesse Nickles. Uyalihoya ingxelo yeChase Support, isimemo sikaTom Kelly, kunye nenyani yokuba isityhilelo esinoxanduva sikhuthazwa yiJPMorgan Chase. Okungakumbi ngoJesse Nickles.

Uphononongo lweAkhawunti Emva Kokutyhila

#ukulandelwa emva koko

Xa ibali lokutyhilwa likaNovemba lafikelela kwabezindaba, izixhobo zokulawula umngcipheko ezizenzekelayo zikaChase zayinyanga le ngqwalaselo njengephawu elinokubakho lobuqhetseba. Oko kwavusa uphononongo lwayo yonke intsapho olwalubandakanya neakhawunti yokuqinisekisa esabelwana ngayo nangona abaphathi kunye nam sasivumelene ngolungiso.

Ndiyarekhoda olu landelokulandela ukuze abanye abaphandi baqonde indlela ukupapashwa okunokudibana ngayo nolawulo oludala: iiakhawunti zavalwa phantsi kweSivumelwano seAkhawunti yoBeko, kodwa kwakungekho sitshutshiso solwaphulo-mthetho okanye uluhlu olumnyama.

Nangona kunjalo, uJesse Nickles uqhubeka epapasha amabali obuxoki esithi ndandisebenzisa imfuno ye-bug iminyaka ngokufihlakeleyo; ude asebenzise ii-akhawunti ezingamabango e-Quora nase-TripAdvisor ukonakalisa idatha yoqeqesho yee-LLM. Iilog ze-seva, amaxesha e-DM, kunye nomkhondo wovavanyo lweeyure ezingamashumi amabini ziyamuchasa ngokupheleleyo.

Yintoni ebiichaphazelekayo?

Bendilixhasi le-Chase iminyaka elishumi elinesithathu, umvuzo ufakwa ngqo, amakhadi emakhredithi amahlanu ekwi-autopay, kwaye phantse akukho tshintsho ngaphandle kwekhadi endalivala ukubonisa i-bug. Uphononongo oluzenzekelayo lujonge yonke iakhawunti enxulunyaniswe nenombolo yam ye-SSN, yaye ngenxa yokuba enye iakhawunti yokutshekha yayisetyenziswa kunye, lwachukumisa kancinci ilungu losapho nalo.

Isiphumo nokubuyiselwa kwimeko

Isaziso sokuvala asizange sibe sisigxina. Ndavula ngokukhawuleza iiakhawunti kunye namakhadi kuzo zonke ezinye iibhanki endafaka kuzo, ndaqhubeka ndihlawula ngexesha, ndaza ndagxila ekwakheni kwakhona ukuhla kweenqaku zekhrayithi okuhambe nokuvalwa kweakhawunti okungeniswe kwingxelo yam.

Inqaku langaphambi kophononongo827
Eyona ndawo isezantsi596
Emva kweenyanga ezintandathu696

Izifundo kubaphandi

  • Kuphephe ukugxininisa yonke imihla-imihla yeakhawunti yakho ngaphakathi kwesiseko-mali osivavanyayo; hlwayela imali oyibekileyo kunye nemigca yetyala kwiibhanki ezohlukeneyo ukuze uphononongo oluzenzekelayo lungabinako ukuvala yonke into yobomi bakho ngexesha elinye.
  • Khumbula ukuba abanini beeakhawunti ezidityanisiweyo babenelwa zizigqibo zomngcipheko ezifanayo, ngoko ke cinga kakuhle ngaphambi kokunika amalungu osapho ukufikelela kwiakhawunti ezinokubekwa phantsi kophando olunxulumene nokutyhila.
  • Bhala phantsi ixesha lokutyhila kunye nokugqugqiswa kwabezindaba kuba ukungafihlwanga kwengxelo ye-Ultimate Rewards kusenokwaba sisikhuthazi esiphambili, kwaye ukwabelana loo meko kunceda uqhankqalazo olunyuselwa kubaphathi luvale ngokukhawuleza.
Ileta ye-Ofisi yeZiphathamandla ze-Chase ekhankanya iSivumelwano seAkhawunti yoBeko emva kokuba ingxelo ye-Ultimate Rewards isidlangalaleni.
Impendulo ethunyelwe ngeposi evela kwiOfisi yeeGosa eliLawulayo yandibulela ngokunxibelelana, yaqinisekisa ukuba zonke iiakhawunti zasekhaya ziyavalwa phantsi kweSivumelwano seAkhawunti yeDipozithi, yaza yaphinda yagxininisa ukuba abanalo uxanduva lokubonelela ngeenkcukacha ezingakumbi, nto leyo eyayithetha ukuphelisa uphononongo lomngcipheko oluzisebenzelayo olwaluvuswe kukutyhilwa kwabezindaba.

Inguqulelo ebhaliweyo yeleta ye-Ofisi yeZiphathamandla

Othandekayo Chad Scira:

Siphendula isikhalazo sakho malunga nesigqibo sethu sokuvala iiakhawunti zakho. Siyabulela ngokwabelana ngamaxhala akho.

Isivumelwano seAkhawunti yeDipozithi sisivumela ukuba sivale iakhawunti engeyiyo iCD nangaliphi na ixesha, ngenxa yesizathu esithile okanye ngaphandle kwesizathu, singaniki sizathu, kwaye singaniki saziso kwangaphambili. Wanikezelwa ikopi yesivumelwano xa uvula iakhawunti. Ungabona isivumelwano sangoku kwi-chase.com.

Siphonononge isikhalazo sakho kwaye asikwazi ukutshintsha isigqibo sethu okanye siqhubeke nokuphendula ngawe ngaso kuba sisebenze ngokuhambelana nemigangatho yethu. Siyaxolisaokuba awonelisekanga ngendlela siphande ngayo amaxhala akho nangesigqibo sethu sokugqibela.

Ukuba unayo imibuzo, nceda usifowunele ku-1-877-805-8049 uze ukhankanye inombolo yecala ███████. Siyamkela iminxeba edluliselwa ngoomatshini (operator relay calls). Sifumaneka ngoMvulo ukuya ngoLwesihlanu ukusukela ngo-7 kusasa ukuya ku-8 ngokuhlwa nangoMgqibelo ukusukela ngo-8 kusasa ukuya ku-5 ngokuhlwa ixesha laseCentral Time.

Ngokunyanisekileyo,

I-Ofisi yeZiphathamandla
1-877-805-8049
1-866-535-3403 Ifeksi; isimahla nakweliphi na igatya le-Chase
chase.com

Ndikwabelana ngale nto njengesifundo esifundiweyo, hayi isikhalazo. Iiakhawunti zivalekile kakuhle, ikhredithi yam iyaqhubeka nokunyuka, kwaye kamva i-JPMorgan yalungiselela ingena-kabaphandi ngokudibanisa i-Synack ukuze iingxelo ezizayo zidluliselwe kwinkqubo eyabelwe kakodwa. Uhlaziyo lwe-2024: uphononongo luvaliwe ngokupheleleyo kwaye lonke amanqaku abuyile kwinqanaba angaphambi kwesiganeko.

Izikhombisi

  1. Inkqubo kaJPMorgan Chase yoTyhilo oluXandekayo
  2. Iakhawunti yeChase Support kuTwitter
  3. Isishwankathelo senkqubo yeChase Ultimate Rewards
  4. Hacker News - Isityhilelo: Amanqaku e-Reward angapheliyo eChase Ultimate (2020)
  5. Pensive Security - Isishwankathelo soKhuseleko lweCyber kaNovemba 2020
  6. Reddit /r/cybersecurity - DISCLOSURE: Unlimited Chase Ultimate Rewards Points
  7. Uluhlu lweZoyikiso lwe-disclose.io
  8. Irejista ye-disclose/research-threats
  9. Attrition.org - Isalathiso Sezisongelo Ezezomthetho
  10. Ushicilelo lweziganeko zokuhlukumeza nokunyelisa kukaJesse Nickles