Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable

[Marc Slemko <marcs () ZNEP COM>]

On Sun, 24 Sep 2000, Marc Slemko wrote:

> For better or worse, I have no compunctions about making exploits
> for poorly designed applications public after a company has refused
> to take action despite knowing about the risks, plus I felt like
> doing some quick and dirty coding tonight.  There is no way they
> (whoever "they" are; this may well be code developed by some outside
> company) should have written the code this way to begin with, and
> there is no way it should have been missed in the security audits
> that etrade hopefully did.
>
> It took me ~2 minutes after reading the first couple of lines of
> this advisory to figure out what the issue is and verify it by
> observing a few cookie values.  It then took half an hour to work
> out the algorithm used and write up the script to decode it.  A
> little perl script that will decode etrade's etmember cookies into
> a username and password is included at the end of this message.

Update: it appears that, this morning, they changed the cookie they
use, so yes, I know the perl script I wrote no longer works.
Interesting timing.  I haven't looked too deeply at if it is much
better since their site has been slow or down for me for the past
while...  But it does seem to vary for each login, which is a good
sign.

Also, there are some slight differences if you use a real brokerage
account instead of the free "member" accounts.  The cookie is named
differently, you get sent by default to a SSL page (but it may not be set
to "secure" so may still be able to easily end up sending it to a non-SSL
page).  The differences, in general, are fairly minor from what I know.

Ick.

etrade customers should be asking themselves why etrade didn't give a damn
about this problem until it was made public, and what other problems there
may be hidden away at etrade... or at whatever online service you use.