Bugtraq mailing list archives
Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable
From: Marc Slemko <marcs () ZNEP COM>
Date: Mon, 25 Sep 2000 10:21:39 -0700
On Sun, 24 Sep 2000, Marc Slemko wrote:
For better or worse, I have no compunctions about making exploits for poorly designed applications public after a company has refused to take action despite knowing about the risks, plus I felt like doing some quick and dirty coding tonight. There is no way they (whoever "they" are; this may well be code developed by some outside company) should have written the code this way to begin with, and there is no way it should have been missed in the security audits that etrade hopefully did. It took me ~2 minutes after reading the first couple of lines of this advisory to figure out what the issue is and verify it by observing a few cookie values. It then took half an hour to work out the algorithm used and write up the script to decode it. A little perl script that will decode etrade's etmember cookies into a username and password is included at the end of this message.
Update: it appears that, this morning, they changed the cookie they use, so yes, I know the perl script I wrote no longer works. Interesting timing. I haven't looked too deeply at if it is much better since their site has been slow or down for me for the past while... But it does seem to vary for each login, which is a good sign. Also, there are some slight differences if you use a real brokerage account instead of the free "member" accounts. The cookie is named differently, you get sent by default to a SSL page (but it may not be set to "secure" so may still be able to easily end up sending it to a non-SSL page). The differences, in general, are fairly minor from what I know. Ick. etrade customers should be asking themselves why etrade didn't give a damn about this problem until it was made public, and what other problems there may be hidden away at etrade... or at whatever online service you use.
Current thread:
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable James Mancini (Sep 25)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- Advisory: E*TRADE security problems in full Jeffrey W. Baker (Sep 25)
- Re: Advisory: E*TRADE security problems in full Ben Galehouse (Sep 26)
- Re: Advisory: E*TRADE security problems in full Gunther Birznieks (Sep 27)
- Re: Advisory: E*TRADE security problems in full reb (Sep 27)
- Re: Advisory: E*TRADE security problems in full Signal 11 (Sep 28)
- Re: Advisory: E*TRADE security problems in full Ben Galehouse (Sep 26)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- <Possible follow-ups>
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Bridgette Julie Landers (Sep 26)