-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*****************************************************************************
SCOTTRADER APPLICATION EXPLOIT
*****************************************************************************
RISK TO CUSTOMER
Extremely High
***********
BACKGROUND
Scottrade, Inc. is a discount online brokerage firm with over 1.4 million
customers. Scottrade began online trading in 1996 and has received high
satisfaction ratings since the release of their online trading application
called Scottrader.
********
SUMMARY
The Scottrader java applet provides real-time access to market quotes,
news services, online ordering, and execution confirmation.
Due to an unchecked password field on the server-side, an anonymous
user could obtain elevated access to a customer's private account.
**************
PREREQUISITES
A valid Scottrade account number
******************
TECHNICAL DETAILS
The Scottrader java applet provides an interface to a custom server-side
application at Scottrade that provides real-time quote information,
account balances, portfolio access, watch lists, orders, order
confirmation, news service feeds, and a lot more.
The custom server-side application fails to properly validate new
connections, thus allowing an anonymous third party to establish a
valid Scottrader connection without the verification of any secret
data, password, or other authentication mechanism.
The Scottrader Java applet takes a parameter specified in the HTML
page that initiates the applet loading. This parameter is an encoded
representation of various account details, including the username and
password of the account holder.
The encoding format is easily deciphered by converting the hex string
into a byte array and then XOR'ing the bytes with the value 5.
An attacker, armed with the knowledge of a valid account number, can
easily start the java applet with the password field NULL or invalid
and access any customer account.
I am not aware of any pattern to the way account numbers are assigned,
but there are a few ways to identify a customer account number:
- Dumpster Dive (Yuck, who wants to dig through trash)
- Exploitation of the SCOTTSAVE.COM TRADE HISTORY EXPLOIT
- Random guessing of account numbers (described below)
Guessing account numbers might at first sound near impossible, until
you realize that Scottrade identifies all customers with an 8 digit
number. Scottrade boasts 1.4 million accounts on their website.
Do the math: 1400000 / (99999999 - 10000000) = 0.01555
The numbers show that you are at least likely to guess right 1.55% of
the time.
****************
EXAMPLE EXPLOIT
No example exploit demonstration was provided to Scottrade at the
time of notification.
*******
STATUS
Scottrade was contacted January 3rd, 2005. Scottrade was provided
vulnerability details the evening of January 24th, 2005.
A coordinated disclosure would have been ideal, but Scottrade has
ignored all communications from me since January 24th. I believe
enough time has elapsed that the security holes reported have now
been corrected.
For more information, contact Scottrade at (800) 619-7283.
**************
PERSONAL RANT
As a previously happy customer of Scottrade, I am also a victim
to the issues discussed. I am not satisfied with Scottrade's
response (actually, a lack thereof) when attempting to report
the issue and hope that making it public will ensure that
it is properly addressed and the timely notifications are sent
to customers affected.
********************
FURTHER INFORMATION
On November 10, 2004 Wanda Fish commented "Scottrade's 'security'
amuses me" when she unknowingly was discussing a matter related to
the issue above.
Her post has a Message-ID of 4192b565$1@xxxxxxxxxxxxx and is available
on groups.google.com
******************
LEGAL INFORMATION
The information provided is subject to change at any time without
notification. This information is believed to be correct.
The reporter of this issue shall not be held liable for any
downtime, lost profits, or damages due to this report
or the issues contained within it.
*****************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCBb7zLQa1lBNB5R0RAhJCAKDREOvwKnRPM4Gg/udYtYeJV/ynOgCePhrQ
VpNBm1uuPpVtoOXsyzmDvqs=
=63zK
-----END PGP SIGNATURE-----
