Bugtraq mailing list archives
Password stored in clear text vulnerability in real time stock trading program
From: Doug Nakatomi <dougnak () LYCOS COM>
Date: Tue, 20 Mar 2001 06:44:32 -0800
Company: REDIProducts, a division of Spear, Leeds and Kellogg Program: REDI.exe Background: REDI is a real time stock trading software used by active traders to execute stock orders very rapidly. From their web site (www.redi.com) bullet points of REDI include; "Optimal execution, immediate access to maximum liquidity, and a full view of the marketplace at all times.", "Consolidated, consistent display of all the necessary decision-making information and order entry capability.", "One screen has it all: news, charts, order entry, position tracking, and real-time P&L.". Many companies that provide the software have minimum account balances considerably higher than an average online broker, many are $25,000+. Seriousness: Very. Access to personal accounts and large amounts of money is trivial once read file system access is achieved. Problem: User name and password are stored in a clear text file on the users computer every time the user logs in. The file, defaulting to E:\Program Files\SLK\REDI\Logon\StartLog.txt contains information about the programs startup useful for troubleshooting. Temporary Workaround: I would recommend users of Windows 2000 use EFS to limit access to the file (right click, properties, advanced, check encrypt contents to secure data, ok, ok, ok). This will still allow you, and any process you own or that runs as you, access to the file so it's not a perfect fix. Suggested fix: Vendor should remove password and user name from logging. Vendor contacted: 3/7/01 via email. Vendor response: Vendor responded promptly, and released a fixed version of the software, available from, although no public notification of the problem has been seen, and problem still exists in versions resold by other companies. http://www.redi.com/rpdownload.html Thank you for your time, Doug Nakatomi Information Systems Security Consultant dougnak () lycos com Get 250 color business cards for FREE! at Lycos Mail http://mail.lycos.com/freemail/vistaprint_index.html
Current thread:
- Password stored in clear text vulnerability in real time stock trading program Doug Nakatomi (Mar 21)