User Alert: E*TRADE Usernames and Passwords Remotely Recoverable

["Jeffrey W. Baker" <jwbaker () ACM ORG>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

User Alert: E*TRADE Usernames and Passwords Remotely Recoverable

*Date

22 September 2000

*Author

Jeffrey W. Baker, email jwbaker () acm org

*Copyright Statement

This security advisory is Copyright 2000 by Jeffrey William Baker
(jwbaker () acm org).  The advisory may be distributed in whole or in part
without modification.

*Introduction

This is a User Alert.  This document is intended to alert users to the
vulnerabilities they face when using insecure computer software.  This
User Alert will show who is at risk, what the risks are, and how the user
can protect himself.  Unlike a Security Advisory, this document will not
describe the actual flaws in the software, nor will it describe an
exploit.  However, it will include proof that the exploit exists.

My hope is that this style of Alert will allow users to protect
themselves, without unnecessarily spreading information about specific
exploits.  If software companies were willing to alert their users to
security risks, this type of Alert would not be needed.

*Background

E*TRADE is a company which allows its customers to trade securities using
the World Wide Web.  In E*TRADE's own words, they have "some of the most
advanced technology for Web security."  E*TRADE compares their services to
a steel vault, a moat, and Fort Knox.[1]

Between 17 and 21 August 2000, I discovered a number of vulnerabilities in
the security of E*TRADE's systems.  E*TRADE was contacted via the email
aliases security () etrade com and webmaster () etrade com on 21 August 2000.
Soon thereafter I was in contact with the Director of System Security and
the Manager of Security Threat Analysis.  Emails were exchanged on 21, 22,
and 23 August 2000.  E*TRADE officials indicated that they were already
aware of the security problems listed herein, but had not fixed them due
to various kinds of corporate inertia.  At the time of this writing, the
problems are still outstanding in E*TRADE production systems, and no
estimated date has been mentioned for fixing them.

This alert is needed because E*TRADE has not alerted their customers to
the risk involved when using the E*TRADE service.  The users have a great
deal of money at stake, and are unable to evaluate these risks for
themselves.  This is perhaps something that would be of interest to the
U.S. Securities and Exchange Commission.

*Who is at risk

Most E*TRADE users are at risk.

*What is the potential risk

Due to flaws in E*TRADE's software, a remote third party can recover the
usernames and plain-text passwords of any E*TRADE user.  The vector of
attack can be a malicious (but innocent looking) web site, an email, or a
variety of more obscure methods.  A local compromise of the user's machine
is not required.  The attacker only needs to seek out known or likely
E*TRADE users and contact them.

The result of the attack is that the attacker will have the user's
username and password.  This will allow the attacker arbitrary access to
the account, including banking, securities trading, and other valuable
access.

*How the user can protect himself

The user can protect himself by disabling JavaScript in the browser, and
by not using the E*TRADE service.

*Proof of exploit

I have written a full advisory describing the vulnerability and the
exploit.  This document is stored offline on a CD in a safe place.  When
E*TRADE repairs their systems, or on 21 February 2001, whichever comes
first, the advisory will be released.  This is the detached signature of
the advisory, without the BEGIN and END delimiters (to avoid confusing
your mail clients):

gpg: Signature made Fri Sep 22 08:39:10 2000 PDT using DSA key ID CF0A42AC
gpg: Good signature from "Jeffrey W. Baker <jwbaker () acm org>"

Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA5y30eMAHoQs8KQqwRAoGjAJ4z2KL+5+mm3aBcPALsxafi4q5WMwCeI/5Q
UfCeHZa4JZR2RLMxewB/lmM=
=kIHU

*Footnotes

[1]http://www.etrade.com/cgi-bin/gx.cgi/AppLogic+About?gxml=hpc_disc_secure_c.html&lvl=about
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5y4QQMAHoQs8KQqwRAt3JAKC4ziBRJuIQ5eTg5suLMNXtEbiI1wCgpv4M
CHiCzc22WmUXb+gSn1ZRxFM=
=gOYt
-----END PGP SIGNATURE-----