+++ to secure your transactions use the Bitcoin Mixer Service +++

 

We need Your Support. Make a Donation now! or Buy Me A Coffee

Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Password stored in clear text vulnerability in real time stock trading program

From: Doug Nakatomi <dougnak () LYCOS COM>
Date: Tue, 20 Mar 2001 06:44:32 -0800
Company: REDIProducts, a division of Spear, Leeds and Kellogg

Program: REDI.exe

Background: REDI is a real time stock trading software used by active
traders to execute stock orders very rapidly. From their web site
(www.redi.com) bullet points of REDI include; "Optimal execution,
immediate access to maximum liquidity, and a full view of the marketplace
at all times.", "Consolidated, consistent display of all the necessary
decision-making information and order entry capability.", "One screen
has it all: news, charts, order entry, position tracking, and real-time
P&L.". Many companies that provide the software have minimum account
balances considerably higher than an average online broker, many are $25,000+.

Seriousness: Very. Access to personal accounts and large amounts
of money is trivial once read file system access is achieved.

Problem: User name and password are stored in a clear text file
on the users computer every time the user logs in. The file, defaulting
to E:\Program Files\SLK\REDI\Logon\StartLog.txt contains information
about the programs startup useful for troubleshooting.

Temporary Workaround: I would recommend users of Windows 2000 use
EFS to limit access to the file (right click, properties, advanced,
check encrypt contents to secure data, ok,
ok, ok). This will still allow you, and any process you own or that
runs as you, access to the file so it's not a perfect fix.

Suggested fix: Vendor should remove password and user name from logging.

Vendor contacted: 3/7/01 via email.
Vendor response: Vendor responded promptly, and released a fixed
version of the software, available from, although no public notification of the problem has been seen, and problem 
still exists in versions resold by other companies. http://www.redi.com/rpdownload.html

Thank you for your time,

Doug Nakatomi
Information Systems Security Consultant
dougnak () lycos com




Get 250 color business cards for FREE! at Lycos Mail
http://mail.lycos.com/freemail/vistaprint_index.html
Previous By Date Next
Previous By Thread Next

Current thread: