Home page logo

bugtraq logo Bugtraq mailing list archives

Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable
From: James Mancini <jmancini () NETREO NET>
Date: Mon, 25 Sep 2000 13:29:30 -0700

If you couple the cookie vulnerability (and trivial obfuscation of
Username/password combinations) with the fact that E-Trade doesn't permit
strong passwords[1], it becomes clear that they don't have a real security
focus. When I pointed out the weak passwords to them, their response was
"no one else complained."

[1] since E-Trade only recognizes letters, numbers, "$", "_", and space in
passwords, and has a maximum password length of 6 characters, a
brute-force attack on the password (assuming a rate of 100,000
attempts/sec) it would take a maximum of 8 days 17 hours 29 mins 49 secs
to brute-force the password. This attack is impractical simply because the
cookie vulnerability already discussed allows for real-time access without
all the tedium of brute-force attacking.

James Mancini, CCIE #2006                     Netreo
Chief Strategy Officer               V: 714.560.8935
<jmancini () netreo net>                F: 714.560.8937
    Rock-Solid Foundations for Internet Business

Attachment: smime.p7s

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]