E-Trade Says It Has Fixed Password Security Hole

[InfoSec News <isn () C4I ORG>]

http://www.thestandard.com/article/display/0,1151,18849,00.html

September 25, 2000, 6:35 PM PDT

By Elinor Abreu

E-Trade has released a more secure version of the software it uses to
store passwords after learning that it had been leaving accounts at
the online brokerage vulnerable to access by outsiders.

The company stores information about customer passwords in cookies,
which are stored on customers' computers. Until Sunday, the password
information was protected by a scrambling technique that proved to be
a weak form of security. E-Trade spokeswoman Heather Fondo said the
company has since strengthened the scrambling technique.

"At no point was any customer information compromised," she says.
"E-Trade is always very vigilant in its security efforts."

But the vulnerable cookie was not the only problem. E-Trade's Web site
also is susceptible to what is called a "cross-site scripting attack,"
whereby an attacker could create a Web link allowing access to the
cookie and the passwords it contains if an E-Trade customer were to
click on that link. The links could then be sent to target victims in
e-mail or could be hidden on Web sites.

Making it more difficult to gain access to the password stored in the
cookie, which E-Trade said it has now done, should solve the immediate
problem. However, the cross-site scripting attack, which affects
browsers and many other sites, could still pose problems with other
unsecured information stored in cookies.

The password vulnerability was discovered by Jeffrey Baker, who wrote
about it on the BugTraq mailing list Friday. Baker said in his posting
that he notified E-Trade about the problem a month earlier but nothing
had been done, so he felt compelled to alert E-Trade customers to the
potential risk.

Baker recommends that in order to protect their accounts, E-Trade
customers should disable JavaScript in their browsers; avoid using the
six-month login feature on the Web site; always close and restart the
browser before and after using E-Trade; remove E-Trade cookies after
using the Web site to make the cookies file read-only; and firewall
outgoing requests to all hosts that are not from E-Trade's Web site
when using the brokerage's service.

If exploited, the vulnerability could have allowed unauthorized users
to manipulate the stock market by buying and selling stocks from
accounts they illegally access, said Elias Levy, CTO of security
portal SecurityFocus.com.

This is not the first time a security hole has been found at the Web
site of a financial institution. In a much-publicized case back in
February, a technical glitch at H&R (HRB) Block's Web site exposed
customer tax information to other customers.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".