David Eade

David Eade is a web developer and web security consultant, based in Billingshurst, West Sussex, UK. Most security vulnerabilities are privately reported to the respective vendor. This blog includes only resolved issues not subject to a non-disclosure agreement.

Cahoot bank security loophole

Customers could log in to other people's accounts using just a username (typically their forename and surname) and bypassing any security information.

5 November 2004

David Eade exposed a security loophole allowing Cahoot customers to access other peoples' accounts without a password. Customers could log in to other people's accounts using just a username and bypassing any security information. The Cahoot website, run by Abbey Bank, was closed down for 10 hours to carry out urgent repairs. Tim Sawyer, head of Cahoot bank, said it needed to learn lessons from the security breach.

BBC Reports

"A Breakfast investigation has revealed a major security breach at the Abbey Bank's Cahoot website."

"A security loophole at internet bank Cahoot briefly allowed customers to access other people's accounts, a BBC investigation has revealed."

Television Appearances

David Eade was interviewed for BBC Breakfast regarding the Cahoot security loophole.

"The Cahoot website is littered with reassuring messages about its security policy but, as one of our viewers pointed out, the claims were questionable..."

"A major Internet bank had to close for 10 hours after it was discovered that customers' accounts could be accessed without a password. Cahoot, run by Abbey, has apologised for the loophole in security. Max Foster reports..."

Media Coverage

Several newspapers reported the Cahoot security loophole. David Eade is not responsible for the content of these articles or external sites.