Passwords used by account holders at E-Trade were at risk of being stolen until the online brokerage fixed the problem Mondaymorning--but apparently not until it was prompted to do so by a public posting of the glitch by a computer programmer.
On Friday, Jeffrey W. Baker posted an advisory about E-Trade on "BugTraq," an Internet mailing list that discusses computer- security vulnerabilities. In it, he wrote that "a combination of cross-site scripting and an incredibly bone-headed cookie authentication scheme allows a remote, third-party attacker to recover the user name and password of any E-Trade user. The attacker can use this information to gain full control over the E-Trade account."
Baker says he contacted the company Aug. 21 to notify it of the problem, and then a second and third time in successive days. But when E-Trade failed to fix the problem a month later, he posted his findings on the Web. "They were simply sitting on the problem," Baker tells InformationWeek via E-mail. E-Trade didn't return calls for comment. Three-fourths of trades conducted by the company's more than 2 million account holders occur over the Internet.
"These [online brokerage] firms haven't had this problem in the past," says Scott Appleby, research analyst at Robertson Stephens. "I've never heard of anybody having this problem."