Information Security News mailing list archives
E-Trade Says It Has Fixed Password Security Hole
From: InfoSec News <isn () C4I ORG>
Date: Tue, 26 Sep 2000 03:27:02 -0500
http://www.thestandard.com/article/display/0,1151,18849,00.html September 25, 2000, 6:35 PM PDT By Elinor Abreu E-Trade has released a more secure version of the software it uses to store passwords after learning that it had been leaving accounts at the online brokerage vulnerable to access by outsiders. The company stores information about customer passwords in cookies, which are stored on customers' computers. Until Sunday, the password information was protected by a scrambling technique that proved to be a weak form of security. E-Trade spokeswoman Heather Fondo said the company has since strengthened the scrambling technique. "At no point was any customer information compromised," she says. "E-Trade is always very vigilant in its security efforts." But the vulnerable cookie was not the only problem. E-Trade's Web site also is susceptible to what is called a "cross-site scripting attack," whereby an attacker could create a Web link allowing access to the cookie and the passwords it contains if an E-Trade customer were to click on that link. The links could then be sent to target victims in e-mail or could be hidden on Web sites. Making it more difficult to gain access to the password stored in the cookie, which E-Trade said it has now done, should solve the immediate problem. However, the cross-site scripting attack, which affects browsers and many other sites, could still pose problems with other unsecured information stored in cookies. The password vulnerability was discovered by Jeffrey Baker, who wrote about it on the BugTraq mailing list Friday. Baker said in his posting that he notified E-Trade about the problem a month earlier but nothing had been done, so he felt compelled to alert E-Trade customers to the potential risk. Baker recommends that in order to protect their accounts, E-Trade customers should disable JavaScript in their browsers; avoid using the six-month login feature on the Web site; always close and restart the browser before and after using E-Trade; remove E-Trade cookies after using the Web site to make the cookies file read-only; and firewall outgoing requests to all hosts that are not from E-Trade's Web site when using the brokerage's service. If exploited, the vulnerability could have allowed unauthorized users to manipulate the stock market by buying and selling stocks from accounts they illegally access, said Elias Levy, CTO of security portal SecurityFocus.com. This is not the first time a security hole has been found at the Web site of a financial institution. In a much-publicized case back in February, a technical glitch at H&R (HRB) Block's Web site exposed customer tax information to other customers. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- E-Trade Says It Has Fixed Password Security Hole InfoSec News (Sep 28)