Hello all, first off let me be clear that this is not a security violation, nor a bug, vulnerability etc. I have been very very happy with this app on my iPhone for some time now, and the ability to instantly deposit checks is a huge kicker. If you don’t already have it I would highly recommend it… EXCEPT for one really big stinking privacy violation that they haven’t done anything about since I reported it to them over a month ago.
It took me a good 4 hours of my day to talk to various low level call center peoples, (all very respectful just incapable of understanding what I was trying to say), but I eventually talked to two of their mobility senior representatives and walked them through the steps to easily reproduce this issue.
In general, the issues is that if you install the Chase App on your iPhone, then uninstall it, then re-install and link a totally different account. You still get all of the alerts for the previous account!!! Even if you never link the previous account again to the new installation of the app. The toast notifications build up, you can see how much money, in what account, and where they are moving/spending that money… that is a HUGE deal. You can tell it is buggy because if you do log into the app with your new account, and navigate to the alerts section within the app, at least there they have some sanity check and it won’t show you the alerts for the previous account.
I’ve reproduced this on iOS 5 and now on iOS 6 with all the latest updates to the Chase App, and on several other phones with other people’s assistance to reproduce. You might be thinking: “who the hell cares”, but can you not imagine the possible scenario or loaning or gifting a phone? It is possible that they are tying the alerts to the phone number, so if you changed carriers perhaps it would fix it… but that “perhaps” is a bit of an issue for being able to see the transaction and balance information for accounts which you shouldn’t be able to.
So, steps to reproduce:
- Install Chass App
- Login with Account A
- blah blah blah
- at some point Uninstall the app – simulate a sale, a loan to a friend, etc whatever
- Install Chase App
- Login with Account B
- blah blah blah
- Get all the Alerts for previous Account A, including balances, locations, etc…
Bingo! huge privacy violations, most likely due to a very very poorly thought out “uninstall” scenario.
Now, I have spoken with Chase, they suggest that if you ever do this you should go into the online chase bank, and find some obscure setting that took me forever, and essentially revoke the app permission from within chase online. That actually works, however, most people would think that uninstalling the application should be sufficient to de-link that phone from my account information. Such is sadly not the case.
So, word to the wise, be very careful with loaning or gifting your phone… I’ve not tried to completely reset my phone to see if that would reset Chase’s alerts, but that’s because I think this is their problem to troubleshoot not mine.
Has anyone else seen this? Or do you think I’m overreacting from the Privacy standpoint? Let me know please, and we’ll see if Chase will respond to my emails/phone calls/tweets with a timeline for when they are going to fix this.
New Edit: 11/15/2012 – Despite emails and phone calls and very vague generic tweets from @ChaseSupport, there is still no traction on this.