mailing list archives
Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable
From: Marc Slemko <marcs () ZNEP COM>
Date: Mon, 25 Sep 2000 10:21:39 -0700
On Sun, 24 Sep 2000, Marc Slemko wrote:
For better or worse, I have no compunctions about making exploits
for poorly designed applications public after a company has refused
to take action despite knowing about the risks, plus I felt like
doing some quick and dirty coding tonight. There is no way they
(whoever "they" are; this may well be code developed by some outside
company) should have written the code this way to begin with, and
there is no way it should have been missed in the security audits
that etrade hopefully did.
It took me ~2 minutes after reading the first couple of lines of
this advisory to figure out what the issue is and verify it by
observing a few cookie values. It then took half an hour to work
out the algorithm used and write up the script to decode it. A
little perl script that will decode etrade's etmember cookies into
a username and password is included at the end of this message.
Update: it appears that, this morning, they changed the cookie they
use, so yes, I know the perl script I wrote no longer works.
Interesting timing. I haven't looked too deeply at if it is much
better since their site has been slow or down for me for the past
while... But it does seem to vary for each login, which is a good
Also, there are some slight differences if you use a real brokerage
account instead of the free "member" accounts. The cookie is named
differently, you get sent by default to a SSL page (but it may not be set
to "secure" so may still be able to easily end up sending it to a non-SSL
page). The differences, in general, are fairly minor from what I know.
etrade customers should be asking themselves why etrade didn't give a damn
about this problem until it was made public, and what other problems there
may be hidden away at etrade... or at whatever online service you use.