Bugtraq mailing list archives
Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable
From: Marc Slemko <marcs () ZNEP COM>
Date: Sun, 24 Sep 2000 23:39:50 -0700
On Sun, 24 Sep 2000, Marc Slemko wrote:
But it is worse than this in this case; even before the cross site scripting issue made it clear how much this sort of stuff matters, it was still a bad practice to allow someone who steals a long-lived cookie full access to sensitive information. E*TRADE did the "obvious" end of this properly by requiring a password in addition to a cookie, but screwed up big time by then sticking that password in a trivially encoded fashion into the cookie. I mean, good grief; this cookie is sent to the site without using SSL even! So if you are an etrade user, then it is almost certain that your username and password are going across the wire unencrypted. It is... quite difficult for users to try working around this problem. etrade just needs to get with it.
And even worse, after I changed my password just now, it appears that etrade got confused about what my username was and what my password was, so it spit out both my username, my password, and some extra garbage in places where it was trying to show my username! This all unencrypted across the wire, and not even obfuscated. Good thing that is just a test login I setup that doesn't have a real etrade account associated with it... I currently have a real account that is being automatically transferred over from another brokerage that sold its retail customers to etrade. I think it is pretty obvious what I have to do with that account now...
Current thread:
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable James Mancini (Sep 25)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- Advisory: E*TRADE security problems in full Jeffrey W. Baker (Sep 25)
- Re: Advisory: E*TRADE security problems in full Ben Galehouse (Sep 26)
- Re: Advisory: E*TRADE security problems in full Gunther Birznieks (Sep 27)
- Re: Advisory: E*TRADE security problems in full reb (Sep 27)
- Re: Advisory: E*TRADE security problems in full Signal 11 (Sep 28)
- Re: Advisory: E*TRADE security problems in full Ben Galehouse (Sep 26)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- <Possible follow-ups>
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Bridgette Julie Landers (Sep 26)