This article is more than 1 year old

E*Trade security hole still not bunged

Company sticks finger in dike, expert says

"A steel vault. A moat. Fort Knox. We've got something a little better," on-line brokerage firm E*Trade boasts to its prospective customers. E*Trade employs "some of the most advanced technology for Web security," the PR blurb continues. "In other words, your personal information is for your eyes only."

So naturally it was with utter denial that E*Trade confronted network security specialist Jeffrey Baker's announcement that he'd found a gaping security hole in the company's Web service which could have enabled malicious hackers to use company-issued cookies to access and control customer accounts with ease.

After a frustrating month of unsuccessful efforts to get E*Trade security geeks to acknowledge and address the problem, Baker reported it to Bugtraq Friday, after which the company quietly set to work on a slapdash fix.

"E*TRADE seems to have rolled out a new cookie scheme over the
weekend, but it isn't going to do one bit of good unless they plug the
dozens of cross-site scripting problems littering their site," Baker says.

E*Trade uses "an incredibly bone-headed cookie authentication scheme," Baker says, with a trivial encryption scheme, which would allow "a remote third-party attacker to recover the username and password of any E*TRADE user. The attacker can use this information to gain full control over the E*TRADE account."

Not a particularly good state of affairs when you run a financial services Web site. The company has been predictably secretive, and has not to date posted any announcement or warning regarding the flaw on its site. Indeed, E*Trade didn't even bother to beef up encryption of account information in their cookies until after Baker publicized the gaffe.

The company press office insists vehemently that no user accounts have been compromised as a result of the hole, but of course we have no way of verifying the claim.

And still the site remains vulnerable to cross-site scripting, a well-known JavaScript attack in which a malicious hacker creates a URL allowing access to the E*Trade cookie. These could be sent to victims in e-mail messages or concealed on malicious Web sites. The vulnerability was described by the Computer Emergency Response Team (CERT) in early February.

Further details on the E*Trade security debacle are available from SecurityFocus.com here and here. ®

More about

TIP US OFF

Send us news


Other stories you might like