Hmm... this doesn't seem to have been picked up yet by Cnet or Wired.
http://www.securityfocus.com/news/92
> E*Trade accounts Vulnerable
>
> The online brokerage is working to close a hole that
> exposes passwords to theft.
> By Kevin Poulsen
> September 25, 2000 10:44 AM PT
>
> The E*Trade online brokerage is downplaying reports that a
> security weakness in their password-saving mechanism puts
> subscriber's trading accounts at risk.
>
> At issue is the company's practice of storing user passwords as
> cookies on an account-holder's PC, protected only by a very
> weak scrambling technique.
>
> Additionally, the E*Trade site is vulnerable to a "cross-site
> scripting attack," allowing an attacker to formulate an HTML link
> which, if followed by an account holder, will allow access to that
> cookie, and in turn the account holder's password.
>
> Such a malicious link can be hidden on an unrelated web site or
> sent out to a target in an email message, such as a bogus
> electronic greeting card.
>
> E*Trade spokesperson Heather Fondo said she could not
> immediately comment Friday afternoon or Monday morning. A
> call to the company's security director, Clifford Reeser, was not
> returned, but in a brief emailed statement Friday, Reeser called
> the vulnerability "minor."
>
> "We always maintain several checks and balances in our systems
> and procedures to ensure that new vulnerabilities such as these
> that occur from time-to-time throughout the industry do not pose
> a significant risk," Reeser wrote.
>
> San Francisco computer programmer Jeffrey Baker first hinted
> at the problem in a public advisory sent out over the Bugtraq
> mailing list Friday. The advisory omitted details, and was
> designed, Baker said, to spur action at E*Trade, which he said
> had not closed the weakness a month after he privately
> reported it to them. Baker demonstrated the vulnerability for
> SecurityFocus on Friday, on the condition that certain technical
> details be omitted from this report.
>
> That became largely moot over the weekend. Baker's spare
> posting was enough for another programmer, Marc Slemko, to
> figure out what the weakness was. Slemko posted more details
> and a program to descramble E*Trade account passwords on
> Sunday.
Slemko is from Edmonton, and is one of the members of the
Apache Group:
http://www.apache.org/contributors/#slemko
(he was recently a student in the CS program at the
U of Alberta, but I don't know what he's doing now.)
Surfing around a bit, here's his report on his internship
at Go2Net (nice gig!):
http://www.cs.ualberta.ca/iip/C400/Students99/ab-slemko.html
Marc's code:
http://www.securityfocus.com/archive/1/84859
My etrade account doesn't seem to use cookies the way it's
currently set up, so I can't test it myself.
> Users who don't utilize E*Trade's six-month password storage
> option are less vulnerable, and can only have their passwords
> stolen while logged on to the E*Trade site in another window, or
> if they fail to formally log off of the web site after using it, said
> Baker. Users who employ a separate and distinct "trading
> password" appear to be safe, Baker adds. The vulnerability is
> only known to affect the online brokerage, not the company's
> banking services.
>
> There are no reports of the weakness being exploited
> maliciously. In his email, E*Trade's Reeser said the company
> was working to close the security hole.
>
> E*Trade is the largest Internet-only broker, boasting over one
> million accounts.
>
> Tips, feedback, flames? Email
[email protected]
>
> Want to link to this article? Use this URL:
> <
http://www.securityfocus.com/news/92 >
--
Gerald Oskoboiny <
[email protected]>
http://impressive.net/people/gerald/