Bug Hunter Finds Security Flaws in Schwab Site

Users of Charles Schwab & Co. Inc.’s online trading site could be opening themselves to attacks that would give a hacker access to their accounts, a bug hunter warned.

Jeffrey Baker, a San Francisco-based software developer, discovered three security problems with the service on Aug. 25 but said Schwab staff did not listen to his warnings.

“Between 25 August and 28 August 2000, I had discussions with Schwab staff, but with no result,” Baker wrote in a security advisory Monday. “As of the time of this writing, the flaws still exist and I have no reason to believe that they are in the process of being fixed.”

Baker, who previously found a security hole in E*Trade.com, said an attacker using cross-site scripting could gain control of a customer’s account and then either gain interactive use of the service or cause the account holder to perform inadvertent, unwanted actions on the attacker’s behalf. He also said it may be possible to predict a user’s login cookie.

The bug has the potential to affect all Schwab users, according to Baker. He said the Schwab site does not properly validate form input and in some places the form is echoed back to a user’s browser without proper HTML escaping. This makes it possible for an attacker to execute JavaScript code in a user’s browser, which in turn could be used to retrieve the HTTP cookie which Schwab uses for user authentication.

“Typically, the attacker would need to exploit this problem by causing a Schwab user to make an HTTP request while logged on to the Schwab service,” Baker said. “The likely vector for such an attack would be a link or image embedded in an e-mail or a message on a stock trading bulletin board. Heavy users of the service are the most vulnerable.”

He also said that he noticed the Schwab login cookie only varies the first five character positions during each login, with the first character always a hex digit and the other four in the range [0-9A-Z]. While he did not perform a cryptanalysis, Baker said he has a moderate suspicion that it would be possible to predict a login cookie with reasonable success.

Baker said Schwab users can take four steps to defend themselves from attack. First, users should disable JavaScript in their browsers, though Baker did not know whether JavaScript is needed to properly use the Schwab site. Secondly, users should not visit any other Web sites, read e-mail, or use bulletin boards while using the Schwab site. Thirdly, users should always log off the site when finished. Finally, users should always close and restart their browsers before and after entering the Schwab site.

Schwab did not return calls as of this writing.

News Around the Web