JP Morgan Chase Android Apps Password Exposure -- FIXED
Summary
Three JP Morgan Chase Android apps
put passwords in the device log, exposing
them to theft.
This is the #2 most important security flaw,
according to
OWASP.
Detailed Tests
Here are the apps I tested, and examples of passwords in the system log.
Chase Mobile
JP Morgan Mobile
Ink
Notification
I sent this message to Chase
on 5-10-17:
FIXED
I never got a reply from Chase,
but both apps were updated to
version 3.38 on June 30, 2017,
and that version no longer puts
the password in the log.
Posted 5-10-17 by Sam Bowne
Updated with retest 7-28-17