September 29, 2000
10:52 AM   Subscribe

Anyone trading on E*trade should read this thread at securityfocus.
posted by dabitch (7 comments total)
Where's the thread saying exactly what is wrong with etrade's cookies? Are usernames and passwords stored in them as clear text?
posted by mathowie at 11:04 AM on September 29, 2000

this post is the original exploit post.

From dabitch's link I get the impression that it's a cooke problem.

I like the way the person who discovered the exploit is handling it. Without explicitly stating how to get the exploit, they're making it public knowledge a month after letting e*trade have at it for a while.

I wonder how long the exploit gets posted on, and I wonder how long after the fuckedcompany posting it becomes a media playground...
posted by cCranium at 11:11 AM on September 29, 2000

Correct - it is a cookie-related thing. E*trade has made some changes since the exploit has been discovered, they just haven't changed *enough*.

The handling of the exploit has warranted some debate on Bugtraq's as well, nobody want's to cause a mediapanic as the scenario you describe. I was actually contemplating for days if I should post this or not - panicmediafrenzy doesn't exactly help.
posted by dabitch at 12:04 PM on September 29, 2000

Panimediafrenzy never helps, which is why I'm very impressed with the original post (the one I linked to), where pretty much nothing is said, but he says (to summarize) there IS a problem with E*Trade, they've been made aware of it, and they haven't resolved it due to "Corporate Inertia" so watch your asses."
posted by cCranium at 1:07 PM on September 29, 2000

I always thought the real problem with E*Trade is that they use 6 characters MAX passwords for logon. And I presume most people don't use a different trading password. And I know my default password was all caps and all letters. So that's only 3 million combinations or so. I really hope they do password lockout after a few wrong tries.
posted by smackfu at 2:02 PM on September 29, 2000

ETRADE was informed of the vulnerability a month ago. They store the user name and password in a cookie, in the browser, in CLEAR text. The vulnerability is based in part on cross-site scripting, a javascript based attack.

It is VERY easy to exploit this. I just exploited this very same attack recently during a security assessment (this was minor compared to all the holes found in their 'secure' banking servers). It's ridiculous how basic network/systems security is overlooked by companies looking to save some $$. In the long run it always bites them in the ass.
posted by chiXy at 2:04 PM on September 29, 2000

Yeah cCranium, thanks for finding the original post (I had trouble finding it but in my inbox) I completly agree, also it's been one of the better threads on Bugtraqs for a lamer like me as they discuss how to handle things like this. Good to hear all views on it.
posted by dabitch at 2:08 PM on September 29, 2000

« Older Small town America.   |   The George W. Dance. Newer »

This thread has been archived and is closed to new comments