Hacking into my Chase Credit Card Account Without Using my Password

By Gavin | October 13, 2018

This post is about the chase potential risk of stolen of account. I have a changed credit card and I have logged into my online banking portal here, and as you can see, it's got my name and some digits of my credit card number, and my balance and so on, it also has a nice big red log off button, and there is a security problem at this site, because that log off button does not do what it should, now I've saved this URL to view my account information here in a shortcut, so I can go right back to that page, and that's fine, I've also added to my Chrome with the edit this cookie extension, so I can easily copy the cookie into the clipboard off that site, and now if I log off and then attempt to go back to that page to see my account information, it tells me I'm not allowed to get in there, I need to put in a user ID and password, which is what should happen.

But if I put the cookie back in from that previous session into my browser, and then go to that page. I'm now logged in again, I can get back in my account, this is a really bad thing, this means an attacker who stole my cookie can keep on using it to get into my account even when I've logged off, and there are many attacks to steal cookies, something as simple as a cross-site scripting vulnerability can be enough to make it easy for someone to steal your cookies, and there are other techniques, so what should happen when you log off is they should remove the cookie from the server, so that if someone comes back and tries to use that cookie again, it's rejected, and I don't understand why chase does not do that.

I have informed them of this vulnerability. but they have not fixed it. so I decided to make this post very well.