David Eade

David Eade is a web developer and web security consultant, based in Billingshurst, West Sussex, UK. Most security vulnerabilities are privately reported to the respective vendor. This blog includes only publicly disclosed issues.

Cahoot bank security loophole

Customers could log in to other people's accounts using just a user-name and bypassing any security information.

5 November 2004

David Eade exposed a security loophole allowing cahoot customers to access other peoples' accounts without a password. Customers could log in to other people's accounts using just a user-name and bypassing any security information. The cahoot website, run by Abbey bank, was closed down for 10 hours to carry out urgent repairs. Tim Sawyer, head of Cahoot bank, said it needed to learn lessons from the security breach.

BBC Reports

"A Breakfast investigation has revealed a major security breach at the Abbey Bank's Cahoot website."

"A security loophole at internet bank Cahoot briefly allowed customers to access other people's accounts, a BBC investigation has revealed."

Television Appearances

David Eade was interviewed for BBC Breakfast regarding the Cahoot security loophole.

"The cahoot website is littered with reassuring messages about its security policy but, as one of our viewers pointed out, the claims were questionable..."

BBC News 24 report, 10am 5 November 2004

"A major Internet bank had to close for 10 hours after it was discovered that customers' accounts could be accessed without a password. Cahoot, run by Abbey, has apologised for the loophole in security. Max Foster reports..."

BBC1 News headlines, 1pm 5 November 2004

Other Media Coverage

Several newspapers reported the Cahoot security loophole. David Eade is not responsible for the content of these articles or external sites.