COMMAND

    Charles Schwab online trading

SYSTEMS AFFECTED

    Charles Schwab online trading

PROBLEM

    Jeffrey  W.  Baker  found  following.   Charles Schwab operates an
    online  securities  trading  service.   On  25 August 2000 Jeffrey
    discovered three security problems with this service.  Between  25
    August and 28 August 2000,  he had discussions with Schwab  staff,
    but with no  result.  As  of the time  of this writing,  the flaws
    still exist and he has no  reason to believe that they are  in the
    process of being fixed.

    Through cross-site scripting, an attacker can gain control of  the
    account of a Charles Schwab  customer who uses the online  trading
    service.  The attacker can  choose to either gain interactive  use
    of  the  service,  or  to  cause  the  account  holder  to perform
    inadvertent unwanted actions on the attacker's behalf.

    Additionally, it may be possible to predict a user's login cookie.

    The  Schwab  trading  web  site  does  not  properly validate form
    input.   In some  places, the  form input  is echoed  back to  the
    user's browser  without proper  HTML escaping.   Therefore, it  is
    possible for an attacker to  cause JavaScript code to be  executed
    in the  user's browser.   The attacker  could use  this ability to
    retrieve   the   HTTP   cookie   which   Schwab   uses   for  user
    authentication.

    As a  proof-of-concept, a  Schwab user  could visit  this URL, and
    their  login  cookie  will  be  presented  to them in a JavaScript
    alert  dialog.   The  proof-of-concept  can  be easily modified to
    instead send the  login cookie to  an arbitrary HTTP  server.  The
    URL is:

        https://investing.schwab.com/trading/trdmoesverify/?menu=2&submenu=1&ADOrderEntryNumber=0&AffirmativeDetermination=0&prenv=N&numOrders=3&Symbol0=foo%22><script>alert(document.cookie)</script><input%20value=%22&TradeType0=Select+One&Quantity0=&OrderType0=&LimitPrice0=&Minimum0=&MinimumQuantity0=&TimeLimit0=Day+Only&StopPrice0=&DoNotReduce0=&AllOrNone0=

    There are other locations on the site which exhibit the cross-site
    scripting problem.  For example, the forms at

        https://investing.schwab.com/trading/quotexec/

    Typically,  the  attacker  would  need  to exploit this problem by
    causing a Schwab user to make  an HTTP request while logged on  to
    the Schwab service.   The likely vector  for such an  attack would
    be a link or  image embedded in an  email or a message  on a stock
    trading bulletin board.  Heavy  users of the service are  the most
    vulnerable.

    Jeffrey noted  that the  Schwab login  cookie only  varied in  the
    first five character positions at each login.  The first character
    was always  a hex  digit, and  the other  four were  in the  range
    [0-9A-Z].   He  did  not  attempt  a  cryptanalysis,  but he has a
    moderate suspicion that  it may be  possible to predict  the login
    cookie with reasonable success.

    This bug affects potentially all Schwab users.

SOLUTION

    To defend against this attack, the user should:

        1) disable JavaScript in the browser.
        2) not visit any other web sites, read email, or use  bulletin
           boards while using the Schwab web site.
        3) always log off of the Schwab web site when done using it.
        4) always close and restart the browser before and after using
           the Schwab web site.

    Schwab  should  examine  their  programs  to  ensure  proper input
    validation.   Their system  should use  a form  key to ensure that
    form input comes from the authenticated user interactively.