[16887] in bugtraq
Re: User Alert: E*TRADE Usernames and Passwords Remotely
daemon@ATHENA.MIT.EDU (Marc Slemko)
Mon Sep 25 11:50:40 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.20.0009242335020.22726-100000@alive.znep.com>
Date: Sun, 24 Sep 2000 23:39:50 -0700
Reply-To: Marc Slemko <marcs@ZNEP.COM>
From: Marc Slemko <marcs@ZNEP.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.4.20.0009242327510.22726-100000@alive.znep.com>
On Sun, 24 Sep 2000, Marc Slemko wrote:
> But it is worse than this in this case; even before the cross site
> scripting issue made it clear how much this sort of stuff matters,
> it was still a bad practice to allow someone who steals a long-lived
> cookie full access to sensitive information. E*TRADE did the
> "obvious" end of this properly by requiring a password in addition
> to a cookie, but screwed up big time by then sticking that password
> in a trivially encoded fashion into the cookie. I mean, good grief;
> this cookie is sent to the site without using SSL even! So if you are an
> etrade user, then it is almost certain that your username and password
> are going across the wire unencrypted. It is... quite difficult for users
> to try working around this problem. etrade just needs to get with it.
And even worse, after I changed my password just now, it appears that
etrade got confused about what my username was and what my password
was, so it spit out both my username, my password, and some extra garbage
in places where it was trying to show my username! This all unencrypted
across the wire, and not even obfuscated.
Good thing that is just a test login I setup that doesn't have a real
etrade account associated with it... I currently have a real account
that is being automatically transferred over from another brokerage
that sold its retail customers to etrade. I think it is pretty obvious
what I have to do with that account now...
