Want CNET to notify you of price drops and the latest stories?

E*Trade fixes one security problem, admits another

The online brokerage acknowledges that its Web site is vulnerable to a common attack that could allow a hacker to hijack a customer's browser and gain access to sensitive information.

3 min read
E*Trade acknowledged today that its Web site is vulnerable to a common attack that could potentially allow a hacker to hijack a customer's browser and gain access to sensitive information.

Security experts first warned Web sites of the vulnerability, known as "cross-site scripting," in February. Despite the warning, hundreds of sites remain susceptible to such attacks, security experts say.

"It's probably the most significant--yet relatively unpublicized--hole on the Web right now," said Seattle software engineer Marc Slemco.

E*Trade spokeswoman Heather Fondo said the company is working "aggressively" to close the vulnerability.

The vulnerability came to light after the company rushed to fix another security problem over the weekend. On Friday, San Francisco computer programmer Jeff Baker reported on the Bugtraq security mailing list that programming problems at E*Trade had left individual customer accounts vulnerable to hacker attacks. Baker identified at least two problems: vulnerability to cross-site scripting and an insecure cookie used to log into the popular online brokerage.

Using the cross-site scripting vulnerability, a hacker could gain access to a customer's E*Trade login cookie. Because the cookie was encoded, not encrypted, a hacker could easily unscramble the cookie, yielding a customer's username and password.

E*Trade fixed its cookie problem Sunday, changing the algorithm by which it scrambled the cookie data, Fondo said.

"Our cookie technology is safe and secure," she added.

But the cross-site scripting vulnerability remains. It allows hackers to run dangerous code within a Net user's browser or email client. Such code could potentially expose the contents of a person's hard drive, or in this case, the E*Trade login cookie.

"There's really no excuse for (a cross-site scripting problem)," Baker said. "They've known about it for 9 months."

Although cross-site scripting has been publicized on Bugtraq and among security experts, Elias Levy, Bugtraq's moderator and the chief technology officer of SecurityFocus.com, called it one of the most widespread security threats on the Web, afflicting many popular sites. Levy said he is unaware of any confirmed cases of the vulnerability being exploited, but it may be only a matter of time.

"The problem is so widespread that I would be surprised if people weren't exploiting it," Levy said.

To protect hard drives from the cross-site scripting, security experts recommend that Net users not open suspicious email or click suspect links.

Although E*Trade has fixed the problem with its cookies, Levy and others recommend that E*Trade customers not surf other Web sites while logged into the online brokerage and that they log off the site and close their browsers after finishing trading sessions.

Fondo said that no customer information has been compromised as a result of the vulnerabilities. She said E*Trade became aware of the cookie problem in August, when Baker contacted the Security,
privacy issues make Net users uneasy company privately. The fix came just days after Baker went public with the vulnerabilities, reporting the problem on Bugtraq.

Baker said he reported the vulnerability on Bugtraq to put pressure on E*Trade to fix the problem.

Fondo acknowledged that the timing of the fix seemed suspicious but said the company had been working diligently since August to understand and correct the password vulnerability. "You have to look at the fact that you don't create an algorithm overnight," she said.

Baker, however, said E*Trade had dragged its heels in solving the problem.

"Basically E*Trade was sitting on the problem," Baker said. "I think this is a serious issue to have if you are an online bank. You can't really be ignoring the security of users."