[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : E*TRADE Usernames and Passwords Remotely Recoverable

Title: E*TRADE Usernames and Passwords Remotely Recoverable
Released by: Jeffrey W. Baker
Date: 22nd September 2000
Printable version: Click here

Hash: SHA1

User Alert: E*TRADE Usernames and Passwords Remotely Recoverable


22 September 2000


Jeffrey W. Baker, email jwbaker@acm.org

*Copyright Statement

This security advisory is Copyright 2000 by Jeffrey William Baker

(jwbaker@acm.org).  The advisory may be distributed in whole or in part

without modification.


This is a User Alert.  This document is intended to alert users to the

vulnerabilities they face when using insecure computer software.  This

User Alert will show who is at risk, what the risks are, and how the user

can protect himself.  Unlike a Security Advisory, this document will not

describe the actual flaws in the software, nor will it describe an

exploit.  However, it will include proof that the exploit exists.

My hope is that this style of Alert will allow users to protect

themselves, without unnecessarily spreading information about specific

exploits.  If software companies were willing to alert their users to

security risks, this type of Alert would not be needed.


E*TRADE is a company which allows its customers to trade securities using

the World Wide Web.  In E*TRADE's own words, they have "some of the most

advanced technology for Web security."  E*TRADE compares their services to

a steel vault, a moat, and Fort Knox.[1]

Between 17 and 21 August 2000, I discovered a number of vulnerabilities in

the security of E*TRADE's systems.  E*TRADE was contacted via the email

aliases security@etrade.com and webmaster@etrade.com on 21 August 2000.

Soon thereafter I was in contact with the Director of System Security and

the Manager of Security Threat Analysis.  Emails were exchanged on 21, 22,

and 23 August 2000.  E*TRADE officials indicated that they were already

aware of the security problems listed herein, but had not fixed them due

to various kinds of corporate inertia.  At the time of this writing, the

problems are still outstanding in E*TRADE production systems, and no

estimated date has been mentioned for fixing them.

This alert is needed because E*TRADE has not alerted their customers to

the risk involved when using the E*TRADE service.  The users have a great

deal of money at stake, and are unable to evaluate these risks for

themselves.  This is perhaps something that would be of interest to the

U.S. Securities and Exchange Commission.

*Who is at risk

Most E*TRADE users are at risk.

*What is the potential risk

Due to flaws in E*TRADE's software, a remote third party can recover the

usernames and plain-text passwords of any E*TRADE user.  The vector of

attack can be a malicious (but innocent looking) web site, an email, or a

variety of more obscure methods.  A local compromise of the user's machine

is not required.  The attacker only needs to seek out known or likely

E*TRADE users and contact them.

The result of the attack is that the attacker will have the user's

username and password.  This will allow the attacker arbitrary access to

the account, including banking, securities trading, and other valuable


*How the user can protect himself

The user can protect himself by disabling JavaScript in the browser, and

by not using the E*TRADE service.

*Proof of exploit

I have written a full advisory describing the vulnerability and the

exploit.  This document is stored offline on a CD in a safe place.  When

E*TRADE repairs their systems, or on 21 February 2001, whichever comes

first, the advisory will be released.  This is the detached signature of

the advisory, without the BEGIN and END delimiters (to avoid confusing

your mail clients):

gpg: Signature made Fri Sep 22 08:39:10 2000 PDT using DSA key ID CF0A42AC

gpg: Good signature from "Jeffrey W. Baker "

Version: GnuPG v1.0.1 (GNU/Linux)

Comment: For info see http://www.gnupg.org







Version: GnuPG v1.0.1 (GNU/Linux)

Comment: For info see http://www.gnupg.org





(C) 1999-2000 All rights reserved.