David Eade

David Eade is a web developer and web security consultant, based in Billingshurst, West Sussex, UK. Most security vulnerabilities are privately reported to the respective vendor. This blog includes only publicly disclosed issues.


Avast Antitrack does not check validity of end web server certificates

9 March 2020

A man-in-the-middle attack on HTTPS traffic is made possible by Avast Antitrack.

The consequences are hard to overstate. A remote attacker running a malicious proxy could capture their victim's HTTPS traffic and record credentials for later re-use. If a site needs two factor authentication (such as a one-time password), then the attacker can still hijack a live session by cloning session cookies after the victim logs in.

No special action is necessary by the victim using Avast Antitrack in its default configuration. And the attacker does not need access to the victim's machine.

Read more...


Cahoot bank security loophole

5 November 2004

Customers could log in to other people's accounts using just a user-name and bypassing any security information.

David Eade exposed a security loophole allowing cahoot customers to access other peoples' accounts without a password. The cahoot website, run by Abbey bank, was closed down for 10 hours to carry out urgent repairs. The cahoot website, run by Abbey bank, was closed down for 10 hours to carry out urgent repairs. Tim Sawyer, head of Cahoot bank, said it needed to learn lessons from the security breach.

Read more...