E*Trade security hole still not bunged

[William Knowles <wk () C4I ORG>]

http://www.theregister.co.uk/content/6/13580.html

By: Thomas C Greene in Washington
Posted: 27/09/2000 at 20:48 GMT

"A steel vault. A moat. Fort Knox. We've got something a little
better," on-line brokerage firm E*Trade boasts to its prospective
customers. E*Trade employs "some of the most advanced technology for
Web security," the PR blurb continues. "In other words, your personal
information is for your eyes only."

So naturally it was with utter denial that E*Trade confronted network
security specialist Jeffrey Baker's announcement that he'd found a
gaping security hole in the company's Web service which could have
enabled malicious hackers to use company-issued cookies to access and
control customer accounts with ease.

After a frustrating month of unsuccessful efforts to get E*Trade
security geeks to acknowledge and address the problem, Baker reported
it to Bugtraq Friday, after which the company quietly set to work on a
slapdash fix.

"E*TRADE seems to have rolled out a new cookie scheme over the
weekend, but it isn't going to do one bit of good unless they plug the
dozens of cross-site scripting problems littering their site," Baker
says.

E*Trade uses "an incredibly bone-headed cookie authentication scheme,"
Baker says, with a trivial encryption scheme, which would allow "a
remote third-party attacker to recover the username and password of
any E*TRADE user. The attacker can use this information to gain full
control over the E*TRADE account."

Not a particularly good state of affairs when you run a financial
services Web site. The company has been predictably secretive, and has
not to date posted any announcement or warning regarding the flaw on
its site. Indeed, E*Trade didn't even bother to beef up encryption of
account information in their cookies until after Baker publicized the
gaffe.

The company press office insists vehemently that no user accounts have
been compromised as a result of the hole, but of course we have no way
of verifying the claim.

And still the site remains vulnerable to cross-site scripting, a
well-known JavaScript attack in which a malicious hacker creates a URL
allowing access to the E*Trade cookie. These could be sent to victims
in e-mail messages or concealed on malicious Web sites. The
vulnerability was described by the Computer Emergency Response Team
(CERT) in early February.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".