|
Elinor Abreu, The Industry Standard
Thursday, December 07, 2000
Charles Schwab's online customers are at risk of having their account information accessed and
their accounts manipulated due to the same software vulnerability that affected E-Trade's Web
site in September.
Both online brokers are highly susceptible to so-called cross-site scripting, a common flaw found
in Web-based applications that allows a browser to be tricked into performing an execution that
the user did not intend.
In the Schwab case, an attacker could use JavaScript to gain control of another Schwab
customer account while the user is online, and could retrieve the cookie that Schwab employs for
user authentication, according to Jeffrey W. Baker, who posted the vulnerability on the Bugtraq
security mailing list Monday. The security flaw also opens the possibility of an attacker figuring
out a customer's log-in cookie.
"The attacker can choose to either gain interactive use of the service, or to cause the account
holder to perform inadvertent unwanted actions on the attacker's behalf," Baker writes.
Schwab customers can become vulnerable to the exploit merely by clicking on a Web page link,
or on an image embedded in an e-mail or a message on a stock trading bulletin board. (See "
Trading Up.")
Fixing the Problem?
Baker is critical of the way Schwab has handled--or rather not handled, in his opinion--the
problem. He says he discovered the security flaws in August and that despite having discussions
with Schwab staff about them from August 25 to August 28, the problem has not been resolved.
"As an organization, Schwab should strive to fix problems when given five-month advance
notice," he writes. "They should raise their ethical standards to alert their paying customers
whenever a system vulnerability is reported."
Elias Levy, chief technology officer of the SecurityFocus.com portal and moderator of the Bugtraq
mailing list, says the vulnerability is the result of poor programming practices.
Schwab spokesperson John Sommerfield says the brokerage has taken "intermediate" steps to
correct the problem, though he declines to specify what those steps are. The company will have
a complete fix for the problem by the end of the year, he says, adding that no incidents have
been reported and that the risk is "relatively minimal" for customers.
"In order for someone to attack you as a Schwab customer, the hacker must know you're a
customer and [that you are] logged on," Sommerfield says. "Also, the hacker must know the
customer's e-mail address."
Baker recommends that Schwab customers disable JavaScript in their browsers and that they
not visit any other Web sites, read e-mail messages, or use bulletin boards while using
Schwab's Web site. He also warns that Schwab customers should log off the Schwab site when
they are finished using it, and always close and restart their browser before and after using the
Web site.
In September, Baker reported on Bugtraq the same scripting problem at E-Trade, in hopes of
spurring the brokerage to take action. A call to an E-Trade spokesperson to find out whether the
cross-site scripting vulnerability has been fixed was not immediately returned Wednesday
evening.
The cross-site scripting problem first came to light in February when experts at CERT, the
Computer Emergency Response Team at Carnegie Mellon University, released an advisory. In
general, Web users are advised not to open e-mail messages or click on Web links that aren't
from trusted sources.
|