We occasionally uncover security problems
in systems that we use for our projects or find incidentally. In these
cases we intend to roughly follow
CERT's Vulnerability Publishing Policy. If you want to receive
our reports as soon as they're published, please subscribe to our Mailing List.
We are very interested in further work in this area. Please contact us if you are interested in our capabilities.
Title : | Chase Legal Jeopardy - violating own Privacy Policy |
Report : | SPR-2008-08-16 |
Vendor : | www.Chase.com |
Status : | Chase notified August 16th, 2008. No acknowledgement or action as of Sep 8, 08. Their website does not use SSL to encrypt some key content sent to their customers' browsers; this contradicts the claims they make in their security policy. This leaves them wide open to legal liability. Identity Theft incidence unknown. I stopped seeing the problem in May of '09. |
CVE : | TBD |
Title : | SSNs, emails and other PII exposed by TD Ameritrade |
Blog : | http://caringaboutsecurity.wordpress.com |
Vendor : | www.AMTD.com www.Ameritrade.com www.TDAmeritrade.com |
Status : | Ameritrade notified and acknowledged issue. However, Ameritrade failed to act on reports of the flaw for years. Finally, I sued them in Federal Court. Ameritrade acknowledged the breach in part on September 14th, 2007, in a press release and series of documents and FAQs on their corporate website and via US and email sent to their customers. Identity Theft incidence estimate in progress. A multi-million-dollar Class Action Settlement Offer has been made by TD Ameritrade and is being reviewed. |
CVE : | TBD |
Title : | Full Credit Card info, emails and other PII exposed by Hanes.com |
Report : | (unpublished) |
Vendor : | Mozilla Bugzilla report # 358858 |
Status : | Hanes notified and acknowledged notification on October 10th, 2006. Confirmed later that month by Mozilla bug triage (Jesse Ruderman) as a bug, but in the site, not in a Mozilla product. We reported confirmation to Hanes in November. Hanes failed to act on our report or confirmation for approximately one year; perhaps coincidentally, the bug was fixed in November, 2007. Finally, Hanes never acknowledged the breach or notified customers, in apparent violation of California law ______ . Identity Theft incidence estimate: 10,000 customers at risk, only a handful had their credit card info stolen and abused. Someone who purchased goods via hanes.com during the relevant period should retain a class action attorney. |
CVE : | TBD |
Title : | SSNs exposed by BlueHippo.com form |
Report : | SPR-2006-01-01 |
Vendor : | www.BlueHippo.com |
Status : | Detected to be partially resolved approximately 6 months later, and fully repaired a few months after that. Identity Theft incidence unknown. |
CVE : | TBD |
Title : | Able to login as another user, see personal information at MapBlast.com |
Report : | SPR-2002-01-10 |
Vendor : | www.MapBlast.com |
Status : | problem reported, MapBlast was responsive to final pre-publishing warning, confirmed bug but could not duplicate or identify cause, report published a month later |
References : | Sample cookies/exploit info available on request to legitimate parties |
CVE : | TBD |
Title : | DoubleClick opt-out system ineffective |
Report : | SPR #2001-01-22 |
Vendor : | DoubleClick. |
Status : | problem reported, report acknowledged and unresolved for months; report published |
References : | Bogus Opt-Out Activation page |
CVE : | TBD |
Monitor this page |
powered by ChangeDetection |