JP Morgan Chase Android Apps Password Exposure -- FIXED
Summary
Three JP Morgan Chase Android apps
put passwords in the device log, exposing
them to theft.
This is the #2 most important security flaw,
according to
OWASP.
Detailed Tests
Here are the apps I tested, and examples of passwords in the system log.
Chase Mobile
![](chasem4.png)
![](chasem1.png)
JP Morgan Mobile
![](jpm1.png)
![](jpm4.png)
Ink
![](ink4.png)
![](ink1.png)
Notification
I sent this message to Chase
on 5-10-17:
![](chasem5.png)
![](chasem6.png)
FIXED
I never got a reply from Chase,
but both apps were updated to
version 3.38 on June 30, 2017,
and that version no longer puts
the password in the log.
Posted 5-10-17 by Sam Bowne
Updated with retest 7-28-17