Scottsave.com Trade History Exploit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*****************************************************************************
SCOTTSAVE.COM TRADE HISTORY EXPLOIT
*****************************************************************************
RISK TO CUSTOMER
Extremely High
***********
BACKGROUND
Scottrade, Inc. is a discount online brokerage firm with over 1.4 million
customers. Scottrade began online trading in 1996 and has received high
satisfaction ratings since the release of their online trading application
called Scottrader.
********
SUMMARY
A serious vulnerability exists in the Trade History feature of the
Scottsave.com website allowing an anonymous third party to gain
confidential information about customers and their trading habits.
The information available could be used to perform identify theft,
fraud, and other possibly criminal actions through social engineering.
**************
PREREQUISITES
None
******************
TECHNICAL DETAILS
Scottrade provides web-based access to customer trade history
through the Scottsave.com website which requires a valid username
and password to access.
All trades recorded by Scottrade are assigned an auto-incrementing
identifier in their database. Normally a customer browses their
entire trade history summary and then clicks a FORM submit button
that brings up details on individual trades.
The page that provides trade details is:
https://www1.scottsave.com/Scripts/Confirms.dll?DisplayPage
On this page, the following information is displayed:
- Scottrade Account Number
- Account Holder Name
- Account Holder Address (at the time of execution)
- Trading Symbol
- Security Description (Name of the company being traded)
- Trade Number
- Account Type (Broker Dealer, Cash, Margin, Short, etc)
- Market of Execution (Over-the-Counter, NYSE, Nasdaq, etc)
- Capacity in which Scottrade acted
- Account Instructions (Hold Funds in Account, Mail Security, etc)
- Trade Date
- Settlement Date
- Office Code
- Action (Buy or Sell)
- Quantity (# of shares traded)
- CUSIP Number
- Coupon Maturity
- Price
- Principal
- Commission Paid
- State Tax / Interest
- SEC Fee
- Trans Fee
- Misc Fees
- Interest
- Net Amount
- Additional Information (Text field used to specify any additional info)
This information can be retrieved by performing an HTTP POST to:
https://www1.scottsave.com/Scripts/Confirms.dll?Summary?OPTIMIZED=
The only field required during this post is named "ID1234567" and the
value is the string "Details" where 1234567 is an ID number used to
identify your trade.
Because the ID number appears to be an auto-incrementing value, one can
easily guess an entire range of valid trade numbers. One can systematically
retrieve records from all trades made, collecting the above information
about each customer.
Someone with malicious intent could possible use the obtained info to:
- Gain detailed trading habit analysis of individual customers
- Gain private personal information about Scottrade customers
- Impersonate Scottrade customers and possibly be able to socially engineer
the wiring of money from the account into a private bank account of
another
- Enumerate valid Account Numbers for use in the Scottrader Applet exploit
- And many other possible things...
****************
EXAMPLE EXPLOIT
The exploit is extremely simple to execute for even an inexperienced user.
To use this exploit, simply create an html file containing the following.
<html><head></head>
<base
href="https://www1.scottsave.com/Scripts/Confirms.dll?Summary?OPTIMIZED=">
<body>
<form action="Confirms.dll?DisplayPage" method="post"
name="frmHeader">
<input type="submit" value="Details" name="ID1234567">
</form></body></html>
*******
STATUS
Scottrade was contacted January 3rd, 2005. Scottrade was provided
vulnerability details the evening of January 24th, 2005.
A coordinated disclosure would have been ideal, but Scottrade has
ignored all communications from me since January 24th. I believe
enough time has elapsed that the security holes reported have now
been corrected.
For more information, contact Scottrade at (800) 619-7283.
**************
PERSONAL RANT
As a previously happy customer of Scottrade, I am also a victim
to the issues discussed. I am not satisfied with Scottrade's
response (actually, a lack thereof) when attempting to report
the issue and hope that making it public will ensure that
it is properly addressed and the timely notifications are sent
to customers affected.
******************
LEGAL INFORMATION
The information provided is subject to change at any time without
notification. This information is believed to be correct.
The reporter of this issue shall not be held liable for any
downtime, lost profits, or damages due to this report
or the issues contained within it.
*****************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCBb77LQa1lBNB5R0RAkCNAJ99GRc+OQbeoz2Kh6SqR+ALyQ1JDQCfbcN0
wgQRt42yBq+6qXq15XnpsQw=
=jKkS
-----END PGP SIGNATURE-----