Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2167
HistoryNov 12, 2001 - 12:00 a.m.

Stock portfolio sent via clear text in Datek Streamer® application

2001-11-1200:00:00
vulners.com
28
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

S4R - A Managed Services Company
Security - Systems - Storage - Solutions
http://www.s4r.com
[email protected]

Title: Stock portfolio sent via clear text in Datek Streamer®
application
Date: November 9, 2001

  1. Description

Although the user's primary Datek account page is protected using a
secured SSL tunnel, upon launching the "Portfolio" portion of
Streamer®, the user's entire portfolio composition is transmitted
from Datek to the application in clear text. This allows anyone able
to access the data stream between the client and the Datek's server
to view client portfolio's and determine their current portfolio
values.

  1. Description of vulnerable systems

http://www.datek.com/education/streamer.html

Streamer® allows Datek investors the ability to graphically monitor
and manage their online stock portfolio's. This issue was first
discovered on October 16, 2001 and is still present as of November 9,
2001. It is unknown how long prior to this the issue existed.

  1. Flawed/Vulnerable process

When you connect to the Datek Web Site (http://www.datek.com) click
on login, you are then given the choice to either go to the
"investment site" or to the Streamer® application. In either case,
you connect to an SSL site https://investments.datek.com. Upon
choosing Streamer®, either from the initial login screen, or from the
resource pull down on the investment site, another SSL protected
Browser window is opened for the Streamer Java applet. Yet, the
Applet itself is download via HTTP.

Once Streamer® is downloaded and the client launches the "Portfolio"
monitoring application, an HTTP GET request containing the user's
login ID, as well as some additional information, is sent to
STREAMERAPP.DATEK.COM. STREAMERAPP.DATEK.COM then responds back in
clear text with user's login ID and the entire portfolio composition,
and subsequent information. Specifically, the stock symbol and the
number of shares of each owned. Using this information and current
stock prices, its extremely easy to determine the client's portfolio
valuation.

  1. Example

Below is a sample payload of a packet from STREAMERAPP.DATEK.COM to
the client:

S…BARNES82145…3…CSCO…142600…Cisco Sys Inc
Com…Q…22700… Qwest Communications Intl In
Com…CHK…16412…Chesapeake Energy Corp
Com…S.G…EXTR.A*.\.A+.=.A+.=…Jah…\…[.A733.A#…A-…q.
A$Q…A+.=…S.%…^INX.D.<…D.R=.D…=.D./\…x…S.<…CHK.=u…
A.ff.@…H…H…).@…H.@.(…@…n…S.:…Q.At…A.p…A.
.H…Z…A…A.33.A.\)…n…S./…^INDU.F…>…
.&…F…=.F.=…F…q…x…S.G…CSCO.A…{.A.ff.A.ff…H…
A…\.A.33.A…q.A…{.A.ff…S.'…^COMPX.D…"…D…D…D…
x…

This discloses the username is BARNES82145, they currently hold
142,600 shares of Cisco, 22,700 shares of Qwest and 16,412 shares of
Chesapeake Energy Corp.

CSCO @$19.2 * 142,600 shares = $2,737,920
Q @$11.85 * 22,700 shares = $268,995
CHK @$6.83 * 16,412 shares = $112,093

Total stock portfolio value of $3,119,008

Since it is common for the username to be the client's last name
followed by numbers, its also becomes possible to determine who this
specific user is. And since humans are creatures of habit, they are
likely to use the same password elsewhere.

  1. Concerns

Users of the Datek Streamer application are led to believe that their
personal account information is secured throughout the use of this
application, which is not the case. Our belief is that this loss of
privacy presents a serious breach of confidentiality of account
information.

In addition, HTTP traffic is often stored for extended periods of
time by proxy servers, third party logging/reporting software, or
intrusion detection systems and therefore even after this issue is
addressed, the private information that was exposed may still be
available.

We believe this is a serious problem.

  1. Vendor response

Datek has acknowledged that the above described problem exists and
that it affects its Streamer® application. Datek has not provided us
a timeline regarding when this issue will be resolved.

  1. History

Discovered by Chris Grout on October 14, 2001.
Additional forensics by Scott C. Kennedy and Todd Suiter on October
15, 2001.
Initial contact with Datek on October 16, 2001.
Informed Datek of our intention to announce on November 1, 2001.

S4R offers a comprehensive suite of services that include complete
infrastructure design and implementation, 24/7 customer data center
management and support, network security, firewall management,
enterprise storage management as well as data backup and disaster
recovery services. S4R also provides value-added services that enable
co-location and data center facility providers to develop new sources
of revenue from existing assets by leveraging S4R's storage and
managed services solutions.

The company's team of in-house engineers has extensive experience in
all areas of IT infrastructure management, security, system modeling
and implementation. Company executives and top management have broad
technology industry expertise, with prior experience at
industry-leading companies such as IBM Research, Qualcomm, AT&T,
DreamWorks and MTI Corp.

Additional information about S4R can be found at www.s4r.com.

-----BEGIN PGP SIGNATURE-----

iQA/AwUBO+yOLC4fK7wDLJKlEQLFvwCaAz8Rj55DCqvMa5xlyL/oyqh7/xoAn1Vw
iVAHl9gN+gLCqapy9BeNyrt6
=nFLi
-----END PGP SIGNATURE-----

JSON