Home page logo

bugtraq logo Bugtraq mailing list archives

Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable
From: Marc Slemko <marcs () ZNEP COM>
Date: Sun, 24 Sep 2000 23:39:50 -0700

On Sun, 24 Sep 2000, Marc Slemko wrote:

But it is worse than this in this case; even before the cross site
scripting issue made it clear how much this sort of stuff matters,
it was still a bad practice to allow someone who steals a long-lived
cookie full access to sensitive information.  E*TRADE did the
"obvious" end of this properly by requiring a password in addition
to a cookie, but screwed up big time by then sticking that password
in a trivially encoded fashion into the cookie.  I mean, good grief;
this cookie is sent to the site without using SSL even!  So if you are an
etrade user, then it is almost certain that your username and password
are going across the wire unencrypted.  It is... quite difficult for users
to try working around this problem.  etrade just needs to get with it.

And even worse, after I changed my password just now, it appears that
etrade got confused about what my username was and what my password
was, so it spit out both my username, my password, and some extra garbage
in places where it was trying to show my username!  This all unencrypted
across the wire, and not even obfuscated.

Good thing that is just a test login I setup that doesn't have a real
etrade account associated with it...   I currently have a real account
that is being automatically transferred over from another brokerage
that sold its retail customers to etrade.  I think it is pretty obvious
what I have to do with that account now...

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]