Bugtraq mailing list archives
User Alert: E*TRADE Usernames and Passwords Remotely Recoverable
From: "Jeffrey W. Baker" <jwbaker () ACM ORG>
Date: Fri, 22 Sep 2000 09:13:09 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 User Alert: E*TRADE Usernames and Passwords Remotely Recoverable *Date 22 September 2000 *Author Jeffrey W. Baker, email jwbaker () acm org *Copyright Statement This security advisory is Copyright 2000 by Jeffrey William Baker (jwbaker () acm org). The advisory may be distributed in whole or in part without modification. *Introduction This is a User Alert. This document is intended to alert users to the vulnerabilities they face when using insecure computer software. This User Alert will show who is at risk, what the risks are, and how the user can protect himself. Unlike a Security Advisory, this document will not describe the actual flaws in the software, nor will it describe an exploit. However, it will include proof that the exploit exists. My hope is that this style of Alert will allow users to protect themselves, without unnecessarily spreading information about specific exploits. If software companies were willing to alert their users to security risks, this type of Alert would not be needed. *Background E*TRADE is a company which allows its customers to trade securities using the World Wide Web. In E*TRADE's own words, they have "some of the most advanced technology for Web security." E*TRADE compares their services to a steel vault, a moat, and Fort Knox.[1] Between 17 and 21 August 2000, I discovered a number of vulnerabilities in the security of E*TRADE's systems. E*TRADE was contacted via the email aliases security () etrade com and webmaster () etrade com on 21 August 2000. Soon thereafter I was in contact with the Director of System Security and the Manager of Security Threat Analysis. Emails were exchanged on 21, 22, and 23 August 2000. E*TRADE officials indicated that they were already aware of the security problems listed herein, but had not fixed them due to various kinds of corporate inertia. At the time of this writing, the problems are still outstanding in E*TRADE production systems, and no estimated date has been mentioned for fixing them. This alert is needed because E*TRADE has not alerted their customers to the risk involved when using the E*TRADE service. The users have a great deal of money at stake, and are unable to evaluate these risks for themselves. This is perhaps something that would be of interest to the U.S. Securities and Exchange Commission. *Who is at risk Most E*TRADE users are at risk. *What is the potential risk Due to flaws in E*TRADE's software, a remote third party can recover the usernames and plain-text passwords of any E*TRADE user. The vector of attack can be a malicious (but innocent looking) web site, an email, or a variety of more obscure methods. A local compromise of the user's machine is not required. The attacker only needs to seek out known or likely E*TRADE users and contact them. The result of the attack is that the attacker will have the user's username and password. This will allow the attacker arbitrary access to the account, including banking, securities trading, and other valuable access. *How the user can protect himself The user can protect himself by disabling JavaScript in the browser, and by not using the E*TRADE service. *Proof of exploit I have written a full advisory describing the vulnerability and the exploit. This document is stored offline on a CD in a safe place. When E*TRADE repairs their systems, or on 21 February 2001, whichever comes first, the advisory will be released. This is the detached signature of the advisory, without the BEGIN and END delimiters (to avoid confusing your mail clients): gpg: Signature made Fri Sep 22 08:39:10 2000 PDT using DSA key ID CF0A42AC gpg: Good signature from "Jeffrey W. Baker <jwbaker () acm org>" Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQA5y30eMAHoQs8KQqwRAoGjAJ4z2KL+5+mm3aBcPALsxafi4q5WMwCeI/5Q UfCeHZa4JZR2RLMxewB/lmM= =kIHU *Footnotes [1]http://www.etrade.com/cgi-bin/gx.cgi/AppLogic+About?gxml=hpc_disc_secure_c.html&lvl=about -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5y4QQMAHoQs8KQqwRAt3JAKC4ziBRJuIQ5eTg5suLMNXtEbiI1wCgpv4M CHiCzc22WmUXb+gSn1ZRxFM= =gOYt -----END PGP SIGNATURE-----
Current thread:
- User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Jeffrey W. Baker (Sep 22)