|
|
|
|
| |
| Although the users' primary Datek account page is protected using a secured SSL tunnel, upon launching the "Portfolio" portion of Streamer, the user's entire portfolio composition is transmitted from Datek to the application in clear text. This allows anyone able to access the data stream between the client and the Datek's server to view client portfolios and determine their current portfolio values. |
| |
Credit:
The information has been provided by Chris Grout.
|
| |
Streamer allows Datek investors the ability to graphically monitor and manage their online stock portfolios. This issue was first discovered on October 16, 2001 and is still present as of November 9, 2001. It is unknown how long prior to this the issue existed.
Vulnerable process:
When you connect to the Datek Web Site click on login, you are then given the choice to either go to the "investment site" or to the Streamer application. In either case, you connect to an SSL site https://investments.datek.com. Upon choosing Streamer, either from the initial login screen, or from the resource pull-down on the investment site, another SSL protected Browser window is opened for the Streamer Java applet. Yet, the Applet itself is downloaded via HTTP.
Once Streamer is downloaded and the client launches the "Portfolio" monitoring application, an HTTP GET request containing the user's login ID, as well as some additional information, is sent to STREAMERAPP.DATEK.COM. STREAMERAPP.DATEK.COM then responds back in clear text with user's login ID and the entire portfolio composition, and subsequent information. Specifically, the stock symbol and the number of shares of each owned. Using this information and current stock prices, it is extremely easy to determine the client's portfolio valuation.
Example:
Below is a sample payload of a packet from STREAMERAPP.DATEK.COM to the client:
S.......BARNES82145...3...........CSCO....142600....Cisco Sys Inc
Com........Q....22700... Qwest Communications Intl In
Com........CHK....16412....Chesapeake Energy Corp
Com..S.G.....EXTR.A*.\.A+.=.A+.=......Jah....\....[.A733.A#...A-....q.
A$Q..A+.=..S.%.....^INX.D.<.......D.R=.D..=.D./\..x..S.<.....CHK.=u...
A.ff.@..H........H.........).@..H.@.(..@.....n..S.:.....Q.At...A.p..A.
.H......Z.............A....A.33.A.\)..n..S./.....^INDU.F.........>....
.&..F..=.F.=..F..q..x..S.G.....CSCO.A..{.A.ff.A.ff........H...........
A..\.A.33.A.....q.A..{.A.ff..S.'.....^COMPX.D......"..D....D....D.....
x.....
This discloses the username is BARNES82145, they currently hold 142,600 shares of Cisco, 22,700 shares of Qwest and 16,412 shares of Chesapeake Energy Corp.
CSCO @$19.2 * 142,600 shares = $2,737,920
Q @$11.85 * 22,700 shares = $268,995
CHK @$6.83 * 16,412 shares = $112,093
Total stock portfolio value of $3,119,008
Since it is common for the username to be the client's last name followed by numbers, it is also possible to determine who this user is. In addition, since humans are creatures of habit, they are likely to use the same password elsewhere.
Concerns:
Users of the Datek Streamer application are led to believe that their personal account information is secured throughout the use of this application, which is not the case. This loss of privacy presents a serious breach of confidentiality of account information.
In addition, HTTP traffic is often stored for extended periods by proxy servers, third party logging/reporting software, or intrusion detection systems and therefore even after these issues are addressed, the private (and sensitive) information that was exposed may still be available.
Vendor response:
Datek has acknowledged that the above-described problem exists and that it affects its Streamer application. Datek has not provided us a timeline regarding when this issue will be resolved.
|
|
|
|
|
|
|
|
|
|
