Security Problem Reports

We occasionally uncover security problems in systems that we use for our projects or find incidentally. In these cases we intend to roughly follow CERT's Vulnerability Publishing Policy. If you want to receive our reports as soon as they're published, please subscribe to our Mailing List.
We are very interested in further work in this area. Please contact us if you are interested in our capabilities.

Title : Chase Legal Jeopardy - violating own Privacy Policy
Report : SPR-2008-08-16
Vendor :
Status : Chase notified August 16th, 2008. No acknowledgement or action as of Sep 8, 08. Their website does not use SSL to encrypt some key content sent to their customers' browsers; this contradicts the claims they make in their security policy. This leaves them wide open to legal liability. Identity Theft incidence unknown. I stopped seeing the problem in May of '09.
Title : SSNs, emails and other PII exposed by TD Ameritrade
Blog :
Vendor :
Status : Ameritrade notified and acknowledged issue. However, Ameritrade failed to act on reports of the flaw for years. Finally, I sued them in Federal Court. Ameritrade acknowledged the breach in part on September 14th, 2007, in a press release and series of documents and FAQs on their corporate website and via US and email sent to their customers. Identity Theft incidence estimate in progress. A multi-million-dollar Class Action Settlement Offer has been made by TD Ameritrade and is being reviewed.
Title : Full Credit Card info, emails and other PII exposed by
Report : (unpublished)
Vendor : Mozilla Bugzilla report # 358858
Status : Hanes notified and acknowledged notification on October 10th, 2006. Confirmed later that month by Mozilla bug triage (Jesse Ruderman) as a bug, but in the site, not in a Mozilla product. We reported confirmation to Hanes in November. Hanes failed to act on our report or confirmation for approximately one year; perhaps coincidentally, the bug was fixed in November, 2007. Finally, Hanes never acknowledged the breach or notified customers, in apparent violation of California law ______ . Identity Theft incidence estimate: 10,000 customers at risk, only a handful had their credit card info stolen and abused. Someone who purchased goods via during the relevant period should retain a class action attorney.
Title : SSNs exposed by form
Report : SPR-2006-01-01
Vendor :
Status : Detected to be partially resolved approximately 6 months later, and fully repaired a few months after that. Identity Theft incidence unknown.
Title : Able to login as another user, see personal information at
Report : SPR-2002-01-10
Vendor :
Status : problem reported, MapBlast was responsive to final pre-publishing warning, confirmed bug but could not duplicate or identify cause, report published a month later
References : Sample cookies/exploit info available on request to legitimate parties
Title : DoubleClick opt-out system ineffective
Report : SPR #2001-01-22
Vendor : DoubleClick.
Status : problem reported, report acknowledged and unresolved for months; report published
References : Bogus Opt-Out Activation page

this page
it's private
powered by

Here's an interesting interview with Dan Kaminsky. It's very insightful; and while it is aimed at a technical IT audience, I think normal computer users can understand some of the important parts. Note, this interview is from May 13, 2008; the secret summit about Dan's major discovery was March 31 2008. July 8th, the first set of patches came up.

[ Main Page ]

[ Copyright (c)  2002 Matthew Elvey Derived from a template Copyright 1999-2003 ACROS, d.o.o. All Rights Reserved. ]