Advisory Warns Of E-Trade Security Risk
Passwords used by account holders at E-Trade were at risk of being stolen until the online brokerage fixed the problem Mondaymorning--but apparently not until it was prompted to do so by a
public posting of the glitch by a computer programmer.
On Friday, Jeffrey W. Baker posted an advisory about E-Trade on
"BugTraq," an Internet mailing list that discusses computer-
security vulnerabilities. In it, he wrote that "a combination of
cross-site scripting and an incredibly bone-headed cookie
authentication scheme allows a remote, third-party attacker to
recover the user name and password of any E-Trade user. The
attacker can use this information to gain full control over the
E-Trade account."
Baker says he contacted the company Aug. 21 to notify it of the
problem, and then a second and third time in successive days. But
when E-Trade failed to fix the problem a month later, he posted
his findings on the Web. "They were simply sitting on the
problem," Baker tells InformationWeek via E-mail. E-Trade didn't
return calls for comment. Three-fourths of trades conducted by the company's more than 2 million account holders occur over the
Internet.
"These [online brokerage] firms haven't had this problem in the
past," says Scott Appleby, research analyst at Robertson Stephens. "I've never heard of anybody having this problem."
We welcome your comments on this topic on our social media channels, or
[contact us directly] with questions about the site.
More Insights