Event Summary
In late August computer programmer Jeff Baker discovered scenarios in which cybercriminals could compromise the password security of the users of E*Trade, an online securities trading portal. Mr. Baker reported these scenarios to the Director of System Security, and Manager of Security Threat Analysis at E*Trade in an exchange of e-mails that took place on August 21st, 22nd, and 23rd. The E*Trade management team acknowledged the vulnerabilities, but were unable to offer a timely solution. E*Trade's Security Director Clifford Reeser later called the problem "minor," and indeed there were no reports of any customer's security having actually been violated.
The problem centers around a feature of the site that lets users store their passwords in a cookie on their own PC; such cookies expire after six months. The encryption technique used for the passwords is a weak one. While appropriate for many sites this weak encryption seems to TEC and others as inappropriate for a site that enables large financial transactions. The problem is exacerbated by the existence of a well-known security vulnerability known as the "cross site scripting" attack. This technique allows a villain to get access to a cookie by planting an HTML link on an unrelated site.
On Friday, September 22, approximately 30 days later, these vulnerabilities were made public by Mr. Baker via a posting to the Bugtraq security mailing list hosted by, SecurityFocus.Com. Upon release of this posting, E*Trade stock dipped approximately one full point after the announcement. Mr. Baker explained that he was posting the vulnerability to a public list because E*Trade had failed to notify its users or take any corrective action. Mr. Baker retained certain details of the vulnerability in his posting so as not to open E*Trade to a flurry of attacks.
However, another programmer, Marc Slemko, who read Mr. Baker's posting reported that it only took him two minutes to verify and only 30 minutes to understand the algorithm being used and write a program to decode it. According to Mr. Slemko, "When you choose to save your login information, E*Trade sets a cookie on your system that consists of your username and password, trivially encoded. Anyone can easily steal that cookie via the well known 'cross site scripting' attack."
Soon after the news of the vulnerability broke E*Trade announced a new system for handling password storage.
Market Impact
We do not believe that this incident will lead to an increased market for security services among large web sites. Sadly, the pattern continues that sites make changes only after an intrusion is detected and made public, although of course it is not possible to tell how many sites have had intrusions that were hushed up.
User Recommendations
TEC recommends that any company that deals with user information, whether it is stored only on their own site or is kept in a cookie on the user's computer, conduct a comprehensive security analysis, using security specialists, to evaluate their vulnerability.
E*Trade users should log into the E*Trade site so that new modifications to the cookie format can be written to their machine. We do not believe that the likelihood of any individual's account being compromised is high enough to warrant extraordinary actions, but those who wish to take them, can limit their browsers to reduce or eliminate any risk. Doing this, however, will limit your browser's capabilities for all sites.
For Internet Explorer the following steps will tighten the security of your browser.
If using Internet Explorer 5: go into the Tools » Internet Options » Security » Custom Level;
If using Internet Explorer 4: go into the View » Internet Options » Security » Custom Level; and
If using Netscape Communicator: