|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Editions | myCNN | Video | Audio | Headline News Brief | Feedback | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Schwab's site could be vulnerable(IDG) -- Charles Schwab's online customers are at risk of having their account information accessed and their accounts manipulated due to the same software vulnerability that affected E-Trade's Web site in September. Both online brokers are highly susceptible to so-called cross-site scripting, a common flaw found in Web-based applications that allows a browser to be tricked into performing an execution that the user did not intend.
In the Schwab case, an attacker could use JavaScript to gain control of another Schwab customer account while the user is online, and could retrieve the cookie that Schwab employs for user authentication, according to Jeffrey W. Baker, who posted the vulnerability on the Bugtraq security mailing list Monday. The security flaw also opens the possibility of an attacker figuring out a customer's login cookie. "The attacker can choose to either gain interactive use of the service, or to cause the account holder to perform inadvertent unwanted actions on the attacker's behalf," Baker writes.
Schwab customers can become vulnerable to the exploit merely by clicking on a Web page link, or on an image embedded in an e-mail or a message on a stock trading bulletin board. Baker was critical of the way Schwab has handled -- or rather not handled, in his opinion -- the problem. He said he discovered the security flaws in August and that despite having discussions with Schwab staff about them from Aug. 25 to Aug. 28, the problem has not been resolved. "As an organization, Schwab should strive to fix problems when given five-month advance notice," he writes. "They should raise their ethical standards to alert their paying customers whenever a system vulnerability is reported." Elias Levy, CTO of the SecurityFocus.com portal and moderator of the Bugtraq mailing list, says the vulnerability is the result of poor programming practices. Schwab spokesman John Sommerfield said the brokerage has taken "intermediate" steps to correct the problem, though he declined to specify what those steps are. The company will have a complete fix for the problem by the end of the year, he says, adding that no incidents have been reported and that the risk is "relatively minimal" for customers. "In order for someone to attack you as a Schwab customer, the hacker must know you're a customer and [that you are] logged on," Sommerfield says. "Also, the hacker must know the customer's e-mail address." Baker recommends that Schwab customers disable JavaScript in their browsers and that they not visit any other Web sites, read e-mail or use bulletin boards while using Schwab's Web site. He also warns that Schwab customers should log off the Schwab site when they are finished using it, and always close and restart their browser before and after using the Web site. In September, Baker reported on Bugtraq the same scripting problem at E-Trade, in hopes of spurring the brokerage to take action. A call to an E-Trade spokeswoman to find out if the cross-site scripting vulnerability has been fixed was not immediately returned Wednesday evening. The cross-site scripting problem first came to light in February when experts at CERT, the Computer Emergency Response Team at Carnegie Mellon University, released an advisory. In general, Web users are advised not to open e-mail messages or click on Web links that aren't from trusted sources. RELATED STORIES: Security holes found in Windows Media Player RELATED IDG.net STORIES: E-trade says it has fixed password security hole RELATED SITES: Charles Schwab Corp. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Back to the top |
© 2001 Cable News Network. All Rights Reserved. Terms under which this service is provided to you. Read our privacy guidelines. |