<<< Date Index >>>     <<< Thread Index >>>

Scottrader Application Exploit



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*****************************************************************************
                        SCOTTRADER APPLICATION EXPLOIT
*****************************************************************************
 RISK TO CUSTOMER
 Extremely High

***********
 BACKGROUND
 Scottrade, Inc. is a discount online brokerage firm with over 1.4 million
 customers. Scottrade began online trading in 1996 and has received high
 satisfaction ratings since the release of their online trading application
 called Scottrader. 
 
********
 SUMMARY
 The Scottrader java applet provides real-time access to market quotes,
 news services, online ordering, and execution confirmation.
 Due to an unchecked password field on the server-side, an anonymous
 user could obtain elevated access to a customer's private account.

**************
 PREREQUISITES
 A valid Scottrade account number

******************
 TECHNICAL DETAILS
 The Scottrader java applet provides an interface to a custom server-side
 application at Scottrade that provides real-time quote information,
 account balances, portfolio access, watch lists, orders, order
 confirmation, news service feeds, and a lot more.

 The custom server-side application fails to properly validate new
 connections, thus allowing an anonymous third party to establish a
 valid Scottrader connection without the verification of any secret
 data, password, or other authentication mechanism.

 The Scottrader Java applet takes a parameter specified in the HTML
 page that initiates the applet loading.  This parameter is an encoded
 representation of various account details, including the username and
 password of the account holder.

 The encoding format is easily deciphered by converting the hex string
 into a byte array and then XOR'ing the bytes with the value 5.

 An attacker, armed with the knowledge of a valid account number, can
 easily start the java applet with the password field NULL or invalid
 and access any customer account.

 I am not aware of any pattern to the way account numbers are assigned,
 but there are a few ways to identify a customer account number:
  - Dumpster Dive (Yuck, who wants to dig through trash)
  - Exploitation of the SCOTTSAVE.COM TRADE HISTORY EXPLOIT
  - Random guessing of account numbers (described below)

 Guessing account numbers might at first sound near impossible, until
 you realize that Scottrade identifies all customers with an 8 digit
 number.  Scottrade boasts 1.4 million accounts on their website.
 Do the math: 1400000 / (99999999 - 10000000) = 0.01555
 The numbers show that you are at least likely to guess right 1.55% of
 the time.
 
****************
 EXAMPLE EXPLOIT
 No example exploit demonstration was provided to Scottrade at the
 time of notification.

*******
 STATUS
 Scottrade was contacted January 3rd, 2005.  Scottrade was provided
 vulnerability details the evening of January 24th, 2005.

 A coordinated disclosure would have been ideal, but Scottrade has
 ignored all communications from me since January 24th.  I believe
 enough time has elapsed that the security holes reported have now
 been corrected.

 For more information, contact Scottrade at (800) 619-7283.

**************
 PERSONAL RANT
 As a previously happy customer of Scottrade, I am also a victim
 to the issues discussed.  I am not satisfied with Scottrade's
 response (actually, a lack thereof) when attempting to report
 the issue and hope that making it public will ensure that
 it is properly addressed and the timely notifications are sent
 to customers affected.

********************
 FURTHER INFORMATION
 On November 10, 2004 Wanda Fish commented "Scottrade's 'security'
 amuses me" when she unknowingly was discussing a matter related to
 the issue above.
 Her post has a Message-ID of 4192b565$1@xxxxxxxxxxxxx and is available
 on groups.google.com

******************
 LEGAL INFORMATION
 The information provided is subject to change at any time without
 notification.  This information is believed to be correct.
 The reporter of this issue shall not be held liable for any
 downtime, lost profits, or damages due to this report
 or the issues contained within it.

*****************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCBb7zLQa1lBNB5R0RAhJCAKDREOvwKnRPM4Gg/udYtYeJV/ynOgCePhrQ
VpNBm1uuPpVtoOXsyzmDvqs=
=63zK
-----END PGP SIGNATURE-----