[NEWS] Stock Portfolio Sent Via Clear Text in Datek Streamer Application
From: support@securiteam.comDate: 11/18/01
- Previous message: support@securiteam.com: "[NT] RunAs Sensitive Data Exposure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] Stock Portfolio Sent Via Clear Text in Datek Streamer Application Message-Id: <20011118174620.3403E138BF@mail.der-keiler.de> Date: Sun, 18 Nov 2001 18:46:20 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Stock Portfolio Sent Via Clear Text in Datek Streamer Application
------------------------------------------------------------------------
SUMMARY
Although the users' primary Datek account page is protected using a
secured SSL tunnel, upon launching the "Portfolio" portion of
<http://www.datek.com/education/streamer.html> Streamer, the user's entire
portfolio composition is transmitted from Datek to the application in
clear text. This allows anyone able to access the data stream between the
client and the Datek's server to view client portfolios and determine
their current portfolio values.
DETAILS
Streamer allows Datek investors the ability to graphically monitor and
manage their online stock portfolios. This issue was first discovered on
October 16, 2001 and is still present as of November 9, 2001. It is
unknown how long prior to this the issue existed.
Vulnerable process:
When you connect to the <http://www.datek.com> Datek Web Site click on
login, you are then given the choice to either go to the "investment site"
or to the Streamer application. In either case, you connect to an SSL site
https://investments.datek.com. Upon choosing Streamer, either from the
initial login screen, or from the resource pull-down on the investment
site, another SSL protected Browser window is opened for the Streamer Java
applet. Yet, the Applet itself is downloaded via HTTP.
Once Streamer is downloaded and the client launches the "Portfolio"
monitoring application, an HTTP GET request containing the user's login
ID, as well as some additional information, is sent to
STREAMERAPP.DATEK.COM. STREAMERAPP.DATEK.COM then responds back in clear
text with user's login ID and the entire portfolio composition, and
subsequent information. Specifically, the stock symbol and the number of
shares of each owned. Using this information and current stock prices, it
is extremely easy to determine the client's portfolio valuation.
Example:
Below is a sample payload of a packet from STREAMERAPP.DATEK.COM to the
client:
S.......BARNES82145...3...........CSCO....142600....Cisco Sys Inc
Com........Q....22700... Qwest Communications Intl In
Com........CHK....16412....Chesapeake Energy Corp
Com..S.G.....EXTR.A*.\.A+.=.A+.=......Jah....\....[.A733.A#...A-....q.
A$Q..A+.=..S.%.....^INX.D.<.......D.R=.D..=.D./\..x..S.<.....CHK.=u...
A.ff.@..H........H.........).@..H.@.(..@.....n..S.:.....Q.At...A.p..A.
H......Z.............A....A.33.A.\)..n..S./.....^INDU.F.........>....
&..F..=.F.=..F..q..x..S.G.....CSCO.A..{.A.ff.A.ff........H...........
A..\.A.33.A.....q.A..{.A.ff..S.'.....^COMPX.D......"..D....D....D.....
x.....
This discloses the username is BARNES82145, they currently hold 142,600
shares of Cisco, 22,700 shares of Qwest and 16,412 shares of Chesapeake
Energy Corp.
CSCO @$19.2 * 142,600 shares = $2,737,920
Q @$11.85 * 22,700 shares = $268,995
CHK @$6.83 * 16,412 shares = $112,093
Total stock portfolio value of $3,119,008
Since it is common for the username to be the client's last name followed
by numbers, it is also possible to determine who this user is. In
addition, since humans are creatures of habit, they are likely to use the
same password elsewhere.
Concerns:
Users of the Datek Streamer application are led to believe that their
personal account information is secured throughout the use of this
application, which is not the case. This loss of privacy presents a
serious breach of confidentiality of account information.
In addition, HTTP traffic is often stored for extended periods by proxy
servers, third party logging/reporting software, or intrusion detection
systems and therefore even after these issues are addressed, the private
(and sensitive) information that was exposed may still be available.
Vendor response:
Datek has acknowledged that the above-described problem exists and that it
affects its Streamer application. Datek has not provided us a timeline
regarding when this issue will be resolved.
ADDITIONAL INFORMATION
The information has been provided by <mailto:cgrout@s4r.com> Chris Grout.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] RunAs Sensitive Data Exposure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
