September 29, 2000
10:52 AM Subscribe
Anyone trading on E*trade should read this thread at securityfocus.
this post is the original exploit post.
From dabitch's link I get the impression that it's a cooke problem.
I like the way the person who discovered the exploit is handling it. Without explicitly stating how to get the exploit, they're making it public knowledge a month after letting e*trade have at it for a while.
I wonder how long the exploit gets posted on fuckedcompany.com, and I wonder how long after the fuckedcompany posting it becomes a media playground...
posted by cCranium at 11:11 AM on September 29, 2000
From dabitch's link I get the impression that it's a cooke problem.
I like the way the person who discovered the exploit is handling it. Without explicitly stating how to get the exploit, they're making it public knowledge a month after letting e*trade have at it for a while.
I wonder how long the exploit gets posted on fuckedcompany.com, and I wonder how long after the fuckedcompany posting it becomes a media playground...
posted by cCranium at 11:11 AM on September 29, 2000
Correct - it is a cookie-related thing. E*trade has made some changes since the exploit has been discovered, they just haven't changed *enough*.
The handling of the exploit has warranted some debate on Bugtraq's as well, nobody want's to cause a mediapanic as the scenario you describe. I was actually contemplating for days if I should post this or not - panicmediafrenzy doesn't exactly help.
posted by dabitch at 12:04 PM on September 29, 2000
The handling of the exploit has warranted some debate on Bugtraq's as well, nobody want's to cause a mediapanic as the scenario you describe. I was actually contemplating for days if I should post this or not - panicmediafrenzy doesn't exactly help.
posted by dabitch at 12:04 PM on September 29, 2000
Panimediafrenzy never helps, which is why I'm very impressed with the original post (the one I linked to), where pretty much nothing is said, but he says (to summarize) there IS a problem with E*Trade, they've been made aware of it, and they haven't resolved it due to "Corporate Inertia" so watch your asses."
posted by cCranium at 1:07 PM on September 29, 2000
posted by cCranium at 1:07 PM on September 29, 2000
I always thought the real problem with E*Trade is that they use 6 characters MAX passwords for logon. And I presume most people don't use a different trading password. And I know my default password was all caps and all letters. So that's only 3 million combinations or so. I really hope they do password lockout after a few wrong tries.
posted by smackfu at 2:02 PM on September 29, 2000
posted by smackfu at 2:02 PM on September 29, 2000
ETRADE was informed of the vulnerability a month ago. They store the user name and password in a cookie, in the browser, in CLEAR text. The vulnerability is based in part on cross-site scripting, a javascript based attack.
It is VERY easy to exploit this. I just exploited this very same attack recently during a security assessment (this was minor compared to all the holes found in their 'secure' banking servers). It's ridiculous how basic network/systems security is overlooked by companies looking to save some $$. In the long run it always bites them in the ass.
posted by chiXy at 2:04 PM on September 29, 2000
It is VERY easy to exploit this. I just exploited this very same attack recently during a security assessment (this was minor compared to all the holes found in their 'secure' banking servers). It's ridiculous how basic network/systems security is overlooked by companies looking to save some $$. In the long run it always bites them in the ass.
posted by chiXy at 2:04 PM on September 29, 2000
Yeah cCranium, thanks for finding the original post (I had trouble finding it but in my inbox) I completly agree, also it's been one of the better threads on Bugtraqs for a lamer like me as they discuss how to handle things like this. Good to hear all views on it.
posted by dabitch at 2:08 PM on September 29, 2000
posted by dabitch at 2:08 PM on September 29, 2000
« Older Small town America. | The George W. Dance. Newer »
This thread has been archived and is closed to new comments
posted by mathowie at 11:04 AM on September 29, 2000