David Eade is a web developer and web security consultant, based in Billingshurst, West Sussex, UK. Most security vulnerabilities are privately reported to the respective vendor. This blog includes only publicly disclosed issues.
9 March 2020
A man-in-the-middle attack on HTTPS traffic is made possible by Avast Antitrack.
The consequences are hard to overstate. A remote attacker running a malicious proxy could capture their victim's HTTPS traffic and record credentials for later re-use. If a site needs two factor authentication (such as a one-time password), then the attacker can still hijack a live session by cloning session cookies after the victim logs in.
No special action is necessary by the victim using Avast Antitrack in its default configuration. And the attacker does not need access to the victim's machine.
5 November 2004
Customers could log in to other people's accounts using just a user-name and bypassing any security information.
David Eade exposed a security loophole allowing cahoot customers to access other peoples' accounts without a password. The cahoot website, run by Abbey bank, was closed down for 10 hours to carry out urgent repairs. The cahoot website, run by Abbey bank, was closed down for 10 hours to carry out urgent repairs. Tim Sawyer, head of Cahoot bank, said it needed to learn lessons from the security breach.