A white hacker who reported to the bank 'a bug that can increase money infinitely' explains the treatment he received



A security researcher who reported a bug to JP Morgan Chase Bank that 'the balance can be made negative and then canceled to increase money indefinitely' was treated hostilely after the report. You should know how to handle it. '

DISCLOSURE: Unlimited Chase Ultimate Rewards Points | Chad Scira

https://chadscira.com/post/5fa269d46142ac544e013d6e/DISCLOSURE-Unlimited-Chase-Ultimate-Rewards-Points

JP Morgan Chase was reported infinite growth bug of money to JP Morgan Chase Bank, a commercial bank under the umbrella is, Mr. Chad Scira of security researchers. Scira learned that there is a bug in JP Morgan Chase Bank's system regarding ' race condition ' that causes the phenomenon that the final result changes due to the difference in the timing of processing performed in parallel on the computer. With the permission of JP Morgan Chase Bank, he conducted an experiment in which points were repeatedly sent under an unstable Internet environment using multiple accounts.

As a result of this experiment, it was confirmed that the accounts used in the experiment could be sent until the point balance became negative. As a result, we were able to create an account with a point balance of 5,126,98 points and an account with a point balance of minus 5 million points. When 5 million points are returned to cash, it is 5,000 dollars (about 520,000 yen), but when used as an airline ticket cost, it is equivalent to 76,810 dollars (about 8 million yen).



The JPMorgan Chase Bank account had a specification that 'when the account is deleted, all points will be deleted.' When Scira conducted an experiment on this specification, wondering if all the negative points would be erased, it was confirmed that all the negative points were erased as expected.

In addition, Scira also conducted an experiment to return the total 5,126,98 points to cash. After cashing 5 million points out of 5,126,98 points, it was confirmed that it was successfully returned to $ 5,000, proving that it is potentially 'infinite cash growth possible'.




In 2016, when Scira conducted a series of experiments, JPMorgan Chase Bank did not have a

responsible disclosure program for vulnerabilities, so Scira was the official Twitter account of JPMorgan Chase's customer service team ( I was proceeding with the experiment while reporting the situation to @ChaseSupport ) one by one. Mr. Scira's report seems to have fixed a series of problems, but about a week after the report, Mr. Scira received a 'very hostile email' from JPMorgan Chase Bank.

In addition, JPMorgan Chase Bank has deleted all of Scira's private accounts at the bank and canceled all checking and savings accounts. I sent you a letter saying 'Your account has been deleted'.



According to Mr. Scira, not only Mr. Scira but also Mr. Scira's family received treatment such as account cancellation. 'It's a shame that banks want people to do this,' Scira said. 'Continuing to do this not only damages your reputation, but also reduces bug reports. I hope you will realize that it will lead to that. '

in Web Service, Posted by darkhorse_log