Where's the thread saying exactly what is wrong with etrade's cookies? Are usernames and passwords stored in them as clear text?
posted by mathowie at 11:04 AM on September 29, 2000

this post is the original exploit post.

From dabitch's link I get the impression that it's a cooke problem.

I like the way the person who discovered the exploit is handling it. Without explicitly stating how to get the exploit, they're making it public knowledge a month after letting e*trade have at it for a while.

I wonder how long the exploit gets posted on fuckedcompany.com, and I wonder how long after the fuckedcompany posting it becomes a media playground...
posted by cCranium at 11:11 AM on September 29, 2000

Correct - it is a cookie-related thing. E*trade has made some changes since the exploit has been discovered, they just haven't changed *enough*.

The handling of the exploit has warranted some debate on Bugtraq's as well, nobody want's to cause a mediapanic as the scenario you describe. I was actually contemplating for days if I should post this or not - panicmediafrenzy doesn't exactly help.
posted by dabitch at 12:04 PM on September 29, 2000

Panimediafrenzy never helps, which is why I'm very impressed with the original post (the one I linked to), where pretty much nothing is said, but he says (to summarize) there IS a problem with E*Trade, they've been made aware of it, and they haven't resolved it due to "Corporate Inertia" so watch your asses."
posted by cCranium at 1:07 PM on September 29, 2000

I always thought the real problem with E*Trade is that they use 6 characters MAX passwords for logon. And I presume most people don't use a different trading password. And I know my default password was all caps and all letters. So that's only 3 million combinations or so. I really hope they do password lockout after a few wrong tries.
posted by smackfu at 2:02 PM on September 29, 2000

ETRADE was informed of the vulnerability a month ago. They store the user name and password in a cookie, in the browser, in CLEAR text. The vulnerability is based in part on cross-site scripting, a javascript based attack.

It is VERY easy to exploit this. I just exploited this very same attack recently during a security assessment (this was minor compared to all the holes found in their 'secure' banking servers). It's ridiculous how basic network/systems security is overlooked by companies looking to save some $$. In the long run it always bites them in the ass.
posted by chiXy at 2:04 PM on September 29, 2000

Yeah cCranium, thanks for finding the original post (I had trouble finding it but in my inbox) I completly agree, also it's been one of the better threads on Bugtraqs for a lamer like me as they discuss how to handle things like this. Good to hear all views on it.
posted by dabitch at 2:08 PM on September 29, 2000