Users of Charles Schwab & Co. Inc.’s online trading site could be opening themselves to attacks that would give a hacker access to their accounts, a bug hunter warned.
Jeffrey Baker, a San Francisco-based software developer, discovered three security problems with the service on Aug. 25 but said Schwab staff did not listen to his warnings.
“Between 25 August and 28 August 2000, I had discussions with Schwab staff, but with no result,” Baker wrote in a security advisory Monday. “As of the time of this writing, the flaws still exist and I have no reason to believe that they are in the process of being fixed.”
Baker, who previously found a security hole in E*Trade.com, said an attacker using cross-site scripting could gain control of a customer’s account and then either gain interactive use of the service or cause the account holder to perform inadvertent, unwanted actions on the attacker’s behalf. He also said it may be possible to predict a user’s login cookie.
“Typically, the attacker would need to exploit this problem by causing a Schwab user to make an HTTP request while logged on to the Schwab service,” Baker said. “The likely vector for such an attack would be a link or image embedded in an e-mail or a message on a stock trading bulletin board. Heavy users of the service are the most vulnerable.”
He also said that he noticed the Schwab login cookie only varies the first five character positions during each login, with the first character always a hex digit and the other four in the range [0-9A-Z]. While he did not perform a cryptanalysis, Baker said he has a moderate suspicion that it would be possible to predict a login cookie with reasonable success.
Schwab did not return calls as of this writing.