Case Study: How Rarefied discovered a vulnerability in Chase Bank

Executive Summary

This case study details a security research project conducted by Rarefied, in accordance with Chase Bank's Responsible Disclosure Program, which targeted the systems of Chase Bank. Our objective was to identify vulnerabilities within Chase Bank's online banking platform, analyze its potential impact, explore exploitation methods, and suggest possible mitigations. This study underscores the significance of the discovered vulnerability and provides insights into how similar vulnerabilities can be identified and addressed.

A fix for this issue has been deployed by Chase Bank and Rarefied retested the vulnerability to confirm remediation. Per Chase Bank's policy, this remediation allows for Rarefied to discuss the details of the vulnerability.

Introduction

In the evolving landscape of cybersecurity, continuous research is essential to uncover new vulnerabilities and develop effective countermeasures. This case study focuses on a particular vulnerability discovered in Chase Bank's online banking platform, showcasing our research methodology, findings, and recommendations for mitigation.

Methodology

Our security research methodology follows a systematic approach to ensure thorough analysis and validation of the vulnerability. The key phases include:

  1. Vulnerability Discovery: Identifying potential weaknesses through manual inspection and automated tools.
  2. Proof of Concept (PoC) Development: Creating a PoC to demonstrate the vulnerability's exploitability.
  3. Impact Analysis: Assessing the potential impact of the vulnerability if exploited in a real-world scenario.
  4. Mitigation Strategies: Proposing measures to mitigate the vulnerability via the organization's Responsible Disclosure Program.

Findings

Vulnerability Overview

During our research, we identified a critical vulnerability in Chase Bank's online banking platform, specifically in the Chase Rewards functionality. This vulnerability, if left unaddressed, could allow an attacker to effectively reimburse themselves for all credit card transactions on their account.

Background

The vulnerability was found in the "Pay Yourself Back" feature of the Chase Rewards platform, specifically on the URL: https://ultimaterewardspoints.chase.com/pay-yourself-back

This features allows users to redeem Chase Rewards points for credit card statement credits. For example, if you went to a cafe and bought a coffee and a pastry for $10, you could redeem 1,000 Chase Rewards points for a $10 statement credit, effectively reimbursing yourself for that transaction.

Proof of Concept (PoC)

Select a transaction to redeem (note the current balance of 385,840 reward points), and click Continue:

Select the transaction to redeem

On the next screen, apply the full value of the transaction (note that it will cost 2,752 points to redeem, leaving a new balance of 383,088 points):

Apply the full value of the transaction

Intercept the request using a proxy like Burp Suite Pro (note the loyaltyAmount parameter in the data body is 2752):

Intercept the request

Here is the request:

The Request

In the request, change the value from 2752 to a lower amount (like 200 here):

Edit the request

Note that the 200 value persists through the transaction and only 200 points were debited (the total points is now 385,640):

The value persists through the transaction

The confirmation email matched these details:

The confirmation email matched the details

And the amount was credited to the credit card and posted:

The amount was credited to the credit card

Impact Analysis

The identified vulnerability poses a Critical risk to Chase Bank's online banking platform due to the potential for significant financial losses. Immediate remediation is recommended to mitigate this risk.

Mitigation

Do not trust user-supplied input when determining the validity of a transaction or when processing the transaction. Instead, confirm the transaction is valid server side and that all credits and debits are accurate based on that transaction.

Conclusion

This case study highlights the importance of ongoing security research in identifying and mitigating vulnerabilities in online banking platforms. By understanding and addressing these vulnerabilities, financial institutions can protect themselves against potential threats and enhance their overall security posture. Rarefied remains dedicated to advancing cybersecurity through rigorous research and practical recommendations.

Responsible Disclosure

As noted above, Rarefied adhered to Chase Bank's Responsible Disclosure Program throughout this research project. All findings were reported to Chase Bank in a responsible manner, allowing them the opportunity to address the vulnerabilities before public disclosure.

The terms of the program allow for this disclosure.

Acknowledgement

Rarefied has been recognized by Chase Bank for reporting this vulnerability.

Ready to get started?

We look forward to discussing your security testing needs.

Name
Email
How can we help?