David Eade

David Eade is a web developer and web security consultant, based in Billingshurst, West Sussex, UK. Most security vulnerabilities are privately reported to the respective vendor. This blog includes only resolved issues not subject to a non-disclosure agreement.

Avast AntiTrack does not check validity of end web server certificates

9 March 2020

A man-in-the-middle attack on HTTPS traffic is made possible by Avast AntiTrack.

The consequences are hard to overstate. A remote attacker running a malicious proxy could capture their victim's HTTPS traffic and record credentials for later re-use. If a site needs two factor authentication (such as a one-time password), then the attacker can still hijack a live session by cloning session cookies after the victim logs in.

No special action is necessary by the victim using Avast AntiTrack in its default configuration. And the attacker does not need access to the victim's machine.


Capita Disclosure and Barring Service leaks personal data

20 June 2019

Capita's hosted platform for DBS checks was misconfigured. Users' sensitive information could be observed in transit.

The contents of pages viewed and information submitted by the user could be recorded by a man-in-the-middle and retrospectively decrypted. Observations were based on information served by the platform during normal usage.


Cahoot bank security loophole

5 November 2004

Customers could log in to other people's accounts using just a username (typically their forename and surname) and bypassing any security information.

David Eade exposed a security loophole allowing Cahoot customers to access other peoples' accounts without a password. The cahoot website, run by Abbey bank, was closed down for 10 hours to carry out urgent repairs. Tim Sawyer, head of Cahoot bank, said it needed to learn lessons from the security breach.