Rarefied Discovers Critical Vulnerability in Chase Bank

Table of Contents

How Rarefied Discovered a Critical Vulnerability in Chase Bank

Executive Summary

This case study details a security research project conducted by Rarefied, in accordance with Chase Bank's Responsible Disclosure Program, which targeted the systems of Chase Bank. Our objective was to identify vulnerabilities within Chase Bank's online banking platform, analyze its potential impact, explore exploitation methods, and suggest possible mitigations.

Key Outcome

A critical vulnerability was discovered that could allow attackers to reimburse themselves for credit card transactions at a fraction of the actual cost in reward points.

A fix for this issue has been deployed by Chase Bank and Rarefied retested the vulnerability to confirm remediation. Per Chase Bank's policy, this remediation allows for Rarefied to discuss the details of the vulnerability.

Introduction

In the evolving landscape of cybersecurity, continuous research is essential to uncover new vulnerabilities and develop effective countermeasures. This case study focuses on a particular vulnerability discovered in Chase Bank's online banking platform, showcasing our research methodology, findings, and recommendations for mitigation.

In today's digital banking environment, even the most sophisticated financial institutions can harbor critical security vulnerabilities that may go undetected without specialized security research.

Methodology

Our security research methodology follows a systematic approach to ensure thorough analysis and validation of the vulnerability. The key phases include:

Research Process

  1. Vulnerability Discovery: Identifying potential weaknesses through manual inspection and automated tools.
  2. Proof of Concept (PoC) Development: Creating a PoC to demonstrate the vulnerability's exploitability.
  3. Impact Analysis: Assessing the potential impact of the vulnerability if exploited in a real-world scenario.
  4. Mitigation Strategies: Proposing measures to mitigate the vulnerability via the organization's Responsible Disclosure Program.

Findings

Vulnerability Overview

During our research, we identified a critical vulnerability in Chase Bank's online banking platform, specifically in the Chase Rewards functionality. This vulnerability, if left unaddressed, could allow an attacker to effectively reimburse themselves for all credit card transactions on their account.

The vulnerability allowed users to manipulate the reward points required for transaction reimbursements, creating a significant financial risk for the bank.

Background

The vulnerability was found in the "Pay Yourself Back" feature of the Chase Rewards platform, specifically on the URL: https://ultimaterewardspoints.chase.com/pay-yourself-back

How "Pay Yourself Back" Should Work

This feature allows users to redeem Chase Rewards points for credit card statement credits. For example, if you went to a cafe and bought a coffee and a pastry for $10, you could redeem 1,000 Chase Rewards points for a $10 statement credit, effectively reimbursing yourself for that transaction.

Proof of Concept (PoC)

Vulnerability Exploitation Steps

The following steps demonstrate how the vulnerability could be exploited by manipulating the reward points required for a transaction reimbursement.

Step 1: Select a Transaction

Select a transaction to redeem (note the current balance of 385,840 reward points), and click Continue:

Select the transaction to redeem

Step 2: Apply Full Value

On the next screen, apply the full value of the transaction (note that it will cost 2,752 points to redeem, leaving a new balance of 383,088 points):

Apply the full value of the transaction

Step 3: Intercept the Request

Intercept the request using a proxy like Burp Suite Pro (note the loyaltyAmount parameter in the data body is 2752):

Intercept the request

The vulnerability existed because the server trusted client-side input for determining the number of points to deduct, allowing for manipulation of the transaction parameters.

Step 4: Modify the Request

In the request, change the value from 2752 to a lower amount (like 200 here):

Edit the request

Step 5: Verify the Exploitation

Note that the 200 value persists through the transaction and only 200 points were debited (the total points is now 385,640):

The value persists through the transaction

Step 6: Confirm via Email

The confirmation email matched these details:

The confirmation email matched the details

Step 7: Verify Credit Card Statement

And the amount was credited to the credit card and posted:

The amount was credited to the credit card

Impact Analysis

Risk Assessment

The identified vulnerability poses a Critical risk to Chase Bank's online banking platform due to the potential for significant financial losses. Immediate remediation is recommended to mitigate this risk.

The vulnerability could potentially allow malicious users to:

  1. Reimburse themselves for transactions at a fraction of the actual cost in reward points
  2. Exploit the system repeatedly for financial gain
  3. Cause significant financial losses to the bank if exploited at scale
The most concerning aspect of this vulnerability is that it could be exploited without sophisticated technical knowledge, making it accessible to a wide range of potential attackers.

Mitigation

Recommended Security Controls

Do not trust user-supplied input when determining the validity of a transaction or when processing the transaction. Instead, confirm the transaction is valid server side and that all credits and debits are accurate based on that transaction.

Specific recommendations include:

  1. Implement server-side validation of all transaction parameters
  2. Add integrity checks to ensure the points being deducted match the transaction value
  3. Implement additional authorization checks before processing reward redemptions
  4. Add monitoring to detect unusual patterns in reward redemptions

Conclusion

This case study highlights the importance of ongoing security research in identifying and mitigating vulnerabilities in online banking platforms. By understanding and addressing these vulnerabilities, financial institutions can protect themselves against potential threats and enhance their overall security posture.

Even the most sophisticated financial institutions can benefit from external security research to identify vulnerabilities that might otherwise go undetected.

Key Takeaways

  • Client-side validation should never be trusted for security-critical operations
  • Financial applications require rigorous server-side validation of all transactions
  • Responsible disclosure programs are essential for collaborative security improvement
  • Prompt remediation of vulnerabilities is critical to preventing exploitation

Rarefied remains dedicated to advancing cybersecurity through rigorous research and practical recommendations.

Responsible Disclosure

As noted above, Rarefied adhered to Chase Bank's Responsible Disclosure Program throughout this research project. All findings were reported to Chase Bank in a responsible manner, allowing them the opportunity to address the vulnerabilities before public disclosure.

The terms of the program allow for this disclosure.

Acknowledgement

Rarefied has been recognized by Chase Bank for reporting this vulnerability.

About Rarefied's Research Program

Rarefied conducts ongoing security research to identify vulnerabilities in widely-used systems and applications. Our goal is to improve the overall security posture of the digital ecosystem through responsible disclosure and collaboration with affected organizations.

If you're interested in learning more about our research or security services, please contact us.