
What Happens When You Send a Zero-Day to a Bank? - ivank
https://privacylog.blogspot.com/2017/04/what-happens-when-you-send-zero-day-to.html
======
iamleppert
There needs to exist a legal entity/non-profit or company that acts as a
shield and/or escrow for these kinds of situations. Basically, as a researcher
you can have them deal with the company/organization for you, including
dealing with any threats, collecting any bounties due, and such. The company
could have domain expertise of the industry, laws, and generally be a force
against these companies -- the analogy would be a lawyer.

This is for cases where you want the credit but still want the protections
afforded by being somewhat anonymous. Similar to WikiLeaks but more focused on
allowing the company or entity to solve their problems and representing
fairness on all sides.

~~~
runamok
Personally I think this is a function the the FBI should fill. However, there
is a risk they would sit on zero days and weaponize them (or give them to
another three letter agency).

I wonder if an org like the EFF could add this to their scope.

~~~
user5994461
> However, there is a risk they would sit on zero days

Unlikely. They are still here to protect americans, in a sense. Stealing money
from a bank or a regular business is not on their agenda.

There is a 10% of vulnerabilities that might have re-use for intelligence
purpose, but it shall be alright for the bulk of it.

~~~
njharman
> They are still here to protect americans

That may be the charter of the the organization. But the individual people
running the FBI goals are to 1) be reappointed / not get fired 2) continually
expand their budget / power. Given US politics 1&2 are not always congruent
esp in short term with "protecting americans".

~~~
Spooky23
Have you ever interacted with law enforcement on any professional basis?

They aren't like that at all.

~~~
njharman
1) yes, but with the "troops" and lower level managers.

2) the Director of the FBI (and other other high level managers) is much more
of a political bureaucrat than they are a LEO.

------
alistproducer2
On a similar, but separate note, my bank launched a new version of its online
banking platform. From launch I noticed it opened my accounts in a new tab
while leaving my credentials (password and all) in the sign-in form. Not so
bad when signing in from home - horrific if you're signing in from a public
computer. I tweeted to the bank and spoke to someone on the phone about it.
It's been 3 months and the bug is still there.

[EDIT] I decided to log in today just to see if it's still there (was a couple
days ago), and it's finally been patched. If I had used a throwaway I would
gladly let you guys know the bank, but I won't since it's trivial to find out
who I am from my handle.

~~~
beamatronic
Who logs into their bank from a public computer? Genuinely curious.

~~~
Klipi
There's plenty of laggards who don't have home internet and only browse
through e.g. a library computer. Some of them are probably doing banking too,
given the recent trend of preferring online transactions

~~~
bjacobel
> laggards

Or, you know, poor people.

------
Sujan
For anyone being as confused as me in the timeline bit: The author is called
Will(iam) Entriken. So "Will" and "Entriken" is the same as "I" and passive
voice.

~~~
ralfd
Yes, this was needlessly confusing in the blog post.

------
cyphar
Kudos to the author, and hopefully they don't get sued as a result. This
bullshit with corporations trying to cover up security vulnerabilities (rather
than fix them) needs to stop.

"Sign this NDA or we will send the FBI to arrest you because you found that
our _banking website 's security_ was completely fucking broken and told us
about it." Jesus fucking christ.

~~~
cookiecaper
No one should independently contact a company about this type of issue without
first obtaining competent legal advice. And I do mean _competent_ advice; most
lawyers are very technically illiterate and will not be sympathetic, let alone
familiar with the relevant areas of law.

The researcher is lucky that TradeKing believed their NDA trick was
sufficient. Even if the case here is weak, and I wouldn't necessarily assume
it is, it would still seriously damage the researcher's life.

Here's how it goes when you get sued by a big company. Their lawyers
essentially have a heyday doing everything possible to obstruct and delay the
process so that they can maximize their time on the corporate teat. It will go
on for years; they won't mind because it's business as usual for them, and
they're getting paid big bucks to torment you. Your life will be ruined:
assets seized pre-emptively, reputation and credit destroyed, inordinate
quantities of time consumed by legal research and tedious paperwork,
struggling (if not immediately blatantly failing) to keep your incompetent
counsel paid at $250/hr and meet the retainer, and eventually failing to file
some document or pay some fee that will cause the court to enter a default
judgment against you and permanently confiscate everything you own, leaving
you with the albatross of a massive outstanding judgment waiting to be
enforced, bank accounts garnished any time you get any money, etc. And that's
the short version!

And then guess what -- if, by some miracle, you don't lose in the first round,
this whole process will repeat as they file appeal after appeal. Hunker down
because the proceedings will last at least 5 years.

The corporate lawyers will be able to justify all of it to their clients
without blinking an eye, who probably forgot that they even asked them to sue
you. Everyone at the company and the law firm will go home and sleep soundly
on their piles of money, and you'll have learnt your lesson that trying to
stop the subterfuge of an online trading platform is a terrible offense.

Good reading:
[http://www.nissan.com/Lawsuit/The_Story.php](http://www.nissan.com/Lawsuit/The_Story.php)

IANAL.

~~~
cyphar
My father is a (technically literate, he used to be a database architect)
lawyer, and the general advice he gave me was that if you are in a situation
where you have a critical vulnerability you should disclose it through a
lawyer anonymously -- your identity is then protected under attorney-client
privilege (assuming you haven't just asked your lawyer to commit a crime by
disclosing it).

IANAL though.

~~~
fulldecent
Interesting idea. Thank you for sharing. Is the goal just anonymity?
Technically we already have solutions for anonymous disclosure of documents.
Are there other benefits?

~~~
cyphar
A technical solution to the anonymity problem would probably work just as well
(assuming it wasn't backdoored), though the protections against a lawyer
disclosing their client is legal rather than technical (so the "splatter" from
a company's over-reaction are more likely to be smaller). You also get the
additional benefit of the company probably taking a disclosure more seriously
if it comes with a law firm's letterhead (unfortunately).

------
lisper
The NDA is not a valid contract because there is no consideration. For a
contract to be valid each party has to gain something. This is why many
contracts include a token consideration of $1. This one didn't, so it's
invalid.

~~~
beefhash
Consideration is a common law concept as far as I can tell. As someone
unfamiliar with how it came to be: Why was consideration introduced? What's
the rationale, the goal behind it?

~~~
lmkg
IANAL

A contract is what lets you sue someone over a private transaction. That's
what it does, that's all it does. If for whatever reason you're not willing to
bring a contract dispute to court, then your contract doesn't do anything and
you wasted your time writing it. Contract = right to sue for breach of
contract.

In order to sue someone, you need to be able to describe what damages have
been done to you. The goal of a lawsuit is for the responsible party to 'make
you whole,' i.e. pay you back an amount equal to the damages done to you.

In a contract dispute, the 'damages' of breaking the contract is equal to the
'consideration' of fulfilling the contract. In other words, the promised
consideration is the actual thing that you can sue over.

If there is no consideration, then there are no potential damages, and there
is no potential lawsuit. And since the only point of a contract is to enable a
lawsuit, a contract that doesn't do that isn't a contract.

~~~
tomblomfield
_" the 'damages' of breaking the contract is equal to the 'consideration' of
fulfilling the contract"_

This is categorically incorrect.

Damages for breach of contract are supposed to put you back in the position
you'd have been in had the contract been performed. It's not related to the
value of the consideration.

Consideration is one of the things needed to make a contract binding in
English law (along with offer & acceptance, and "intention to create legal
relations").

Jurists still debate the rationale for consideration, but the best answer I've
found is that contract in English law is seen as an exchange or a “bargain”.
There is no gratuitous contract, donations are not contractual right.

By comparison, a contract under French law is based on "consent of the
parties" and the theory of individual autonomy. There's no requirement for
consideration.

In a "mutual NDA", consideration is easy to find; each party agrees not to
disclose confidential information disclosed by the counterparty.

Another way to make an agreement binding without consideration is to sign it
as a deed.

[https://blogs.warwick.ac.uk/anneprudhomme/entry/consequences...](https://blogs.warwick.ac.uk/anneprudhomme/entry/consequences_of_illegal/)

~~~
jdmichal
> In a "mutual NDA", consideration is easy to find; each party agrees not to
> disclose confidential information disclosed by the counterparty.

I don't think mutual NDAs are typical. Typically, you sign an NDA prior to
receiving information. So the consideration for signing the NDA is receiving
the information that you agreed to not disclose. If you already have that
information, then that's no longer valid consideration.

In this case, the reporter _already_ knew the security vulnerability, so that
knowledge could not be considered consideration. The bank would have needed to
offer something else.

------
wyldfire
Lesson learned: when reporting a vulnerability, record all discussions from
first contact with the vendor. At least in cases where the vendor doesn't have
a clear, easy to find policy and/or bounty for disclosures.

I think it's totally fair to reject an NDA but I don't blame him for fearing
an overzealous reaction on their part. Even being on the right side of
criminal and civil law, you really do have to be willing to spend time and
money to mount an affirmative defense.

~~~
rabidonrails
I believe that you'd need to tell them that they were being recorded or you
could get yourself into trouble.

Edit: looks like this could be possible without getting into trouble depending
on the state you're in: [http://lifehacker.com/5491190/is-it-legal-to-record-
phone-ca...](http://lifehacker.com/5491190/is-it-legal-to-record-phone-calls)

~~~
inetknght
As someone who lives in Texas, I can confirm that Texas is a one-party state.
I specifically do _not_ need to inform people of recording devices _if I am a
party to the conversation_.

It bothers me a lot when services, such as Google Voice, announce to all
parties that such recording is occurring.

~~~
dragonwriter
> It bothers me a lot when services, such as Google Voice, announce to all
> parties that such recording is occurring.

Google is based in California. There is a good probability that the act of
recording occurs there. California is an all-party consent state. Also, even
if the recording isn't happening in California, it's potentially tricky to be
sure that no party to the call is in California (even numbers assigned to
landlines don't assure that the person ultimately connecting is in a
particular place.)

~~~
jungletek
From my naive understanding and possible spotty recollection of the law(s)
involved: in the US at least, as long as the recording party is in a one-party
state then it doesn't matter where the other parties are located.

------
jupenur
In Finland, most online stores allow you to pay for your shopping directly
using your online bank. The way it works is the online store calls the bank's
e-payment API, which in turn lets the user authenticate using their normal
online bank credentials and accept the payment.

A few months back I did some research [1] on these e-payment APIs and noticed
that one of the major banks had a serious flaw in their API implementation. It
was possible for the end-user to manipulate the signed API calls to change the
payment amount, effectively paying less than the actual price for products
they buy.

I reported the issue to the bank and got a swift response where they
acknowledged my report and said they were looking into it more closely. A few
days later I got another email where they basically said "ok, this looks bad,
and we can see it's pretty trivial to exploit, but... it's too expensive to
fix, so we won't do anything".

I wasn't comfortable with this, so next I reported it to NCSC-FI/CERT-FI. They
also agreed that it looked bad, but said that they had no way of forcing the
bank to take action. So that got me nowhere either. I haven't heard from
either NCSC-FI or the bank since, but the issue does appear to be partially
mitigated now.

I've since found several other issues in the same bank's systems but haven't
bothered to report them since they don't really seem to care.

[1] [https://www.slideshare.net/JuhoNurminen/the-sorry-state-
of-f...](https://www.slideshare.net/JuhoNurminen/the-sorry-state-of-finnish-
epayment-apis)

~~~
noir_lord
Post them anonymously and see how fast they become too expensive to not fix.

~~~
Jweb_Guru
Unless you think this would actually lead to banks taking such vulnerabilities
more seriously in general--which I don't believe is the case--taking an action
like that is _pure_ spite. Consider the possible outcomes for this particular
vulnerability: [1] nothing happens, [2] it gets heavily exploited, customers
lose money, and it doesn't get fixed, [3] the same thing happens and it does
get fixed. In all three cases, the outcome is at least as bad as it would have
been had you done nothing, except possibly earlier and worse.

I really take issue with the notion that security is important, so you're
fully justified in screwing people and companies over as much as possible to
prove a point. That seems to be a common attitude in the security community. I
get the frustration people have with the intransigence of corporations and
programmers, and people's general stubborn unwillingness to understand the
severe impact of vulnerabilities, but if just security-shaming companies into
fixing bugs actually worked we would have a much more secure internet today
than we actually do. Unless you can get regulatory agencies to start holding
companies and individuals _legally_ accountable for security issues (that is,
making it more expensive not to fix than to fix), _nothing_ will change, even
if you have all the technical solutions and social pressure in the world.

~~~
jupenur
Also a big issue here, as with many software vulnerabilities, is that the
people the public disclosure would actually damage are the users, not the
company making the vulnerable software. The bank would only start losing money
if the users (personal customers, business customers using their APIs) would
notice the hack and start demanding their money back.

~~~
fulldecent
It would be very nice if your security disclosure report included a section
about how you have provide good faith upfront notice to the vendor and that
based on research and belief it would be negligent for the company to not fix
the issue by X date.

The wording you choose should be cognizant of your state's laws and the
company's user agreement in such a way that the company is actually at risk if
they ignore you.

When talking to people, "Reason is, and ought only to be the slave of the
passions".

When talking to companies it is only necessary to discuss the impact on their
profit.

~~~
jupenur
Just to be clear, I haven't really disclosed anything publicly, not regarding
the e-payment API issue or any other issues for that matter. The SlideShare
from my comment references the e-payment API vulnerability but doesn't
disclose any technical details. It's not possible to reproduce the attack
based on the slides alone.

------
teamhappy
In Germany you can contact the CCC to walk you through the process of
reporting vulns like this one. I'm sure the EFF does similar things for US
citizens. A quick Google search brought up this FAQ: Coders' Rights Project
Vulnerability Reporting FAQ ([https://www.eff.org/issues/coders/vulnerability-
reporting-fa...](https://www.eff.org/issues/coders/vulnerability-reporting-
faq))

------
kevin_thibedeau
There was no value in discussing this over the phone. Clearly their only
motivation was to trick him into signing the NDA or foolishly becoming an
employee to keep him silenced. Just send in the bug report and empty your
account. If the bug persists after 6 months then close the account and go to
public disclosure.

~~~
fulldecent
Yes, this is my new IJDGAF policy. The phone call was a losing proposition
from the beginning.

However if the FBI and NCFTA were /genuinely/ interested in disclosing this in
their forum for other banks then maybe my phone call with them may have been a
win-win. But I think they were not genuinely interested.

------
kharms
About a month ago I noticed that my bank had a vulnerability - I could access
the details and photos of every remotely deposited check. I sent them an
email, they took the feature offline in about 2 hours.

No bug bounty but oh well.

~~~
mcescalante
My bank used to show deposited check photos in a popup with the URL viewable
iirc, and sometime they switched to a modal window with base64 data as the
source instead of a URL that might be manipulated. I wonder how many small
banks still may have bugs like that

~~~
fulldecent
Modifying a data: url is a feature not a bug.

------
cosinetau
I think they're regarding these things as weapons, because that's how they or
others are using them.

It doesn't matter how we regard CVEs as a community, this is the truth of the
matter outside of it. We're handing them over a bomb, and they want to know
why. It feels very Spy vs Spy to me, as silly as that sounds.

~~~
knodi123
That was my experience when I stumbled across a text file with several
thousand credit card numbers, which included tons of details about each card
holder, including SSN.

I tried reporting it to the credit card, and to the issuing bank, and to the
FBI. The only thing I asked was that they cancel the credit card accounts and
put a "potential fraud source" note on each customer's account. Each party I
called was more concerned with threatening me, and trying to find out what
kind of criminal angle I was playing, and what my ulterior motive was, etc
etc. I honestly expected to hear "Oh dang, that sucks, we'll close the
accounts and contact the victims", and was depressed at the hostility I
encountered.

~~~
platz
Suppose they granted your plan to "cancel the credit card accounts" and
"potential fraud source" note on each account.

That's pretty much trying to shut down business with their customers. You
don't see how they'd interpret that as hostile? Future actors would know how
to apply similar techniques if the outcome was in their favor (e.g. Anonymous
suddenly produces a large file of cc#'s and threatens bank!)

> The only thing I asked..

In fact, why _were_ you making demands about how they handle their customer
relationships, instead of simply presenting what you'd found?

~~~
joshuamorton
When you come across a single credit card number (say, by finding someone's
card on the ground), the response by most financial institutions is to
invalidate that card and mail them a new one. Why shouldn't the response be
the same if you come across a stack of 100 credit cards?

~~~
platz
The response to invalidate is a choice by the bank, not the person who finds
the card. Also, that is a single number. It's suspicious/threatening for a
non-trivial amount of cards when the presenter also makes demands.

~~~
joshuamorton
How is "someone has stolen your clients information and likely already sold it
to nefarious actors, because otherwise it wouldn't be on the internet
anywhere, so you should keep them safe by deactivating those accounts"
threatening?

I'd be annoyed if my bank _didn 't_ do something.

~~~
platz
That is a different point. You are changing the party being considered by re-
framing it under yourself, a customer, instead of considering it from the
point of view of the bank.

~~~
joshuamorton
That's ridiculous. If the bank is aware that my credentials are available
online somewhere and are taking no action to protect me, they're being
complicit in any harm that comes to be, because they have both the
responsibility and ability to take action, and refuse to. They're being
irresponsible and potentially harming their clients.

So again, how is saying "You should take action to protect your customers'
data" a threat? How can it be interpreted as a threat? What is threatening
about it?

------
jeremyt
I wrote this a couple years ago about Schwab's embarrasing security. Most of
the issues are still there.

[https://jeremytunnell.com/2014/12/22/swab-password-
policies-...](https://jeremytunnell.com/2014/12/22/swab-password-policies-and-
two-factor-authentication-a-comedy-of-errors/)

~~~
oogali
FYI,

Password + token is a common pattern in systems where hardware/software/OTP
tokens were bolted on after the fact.

Not just that, but on certain systems (think a Windows login screen, or a
POP3/IMAP login for your e-mail client), you can't have a 3rd "token" field --
they're hardcoded to ask for just a username and password.

So vendors came up with the idea of appending the token value onto the
password, and their middleware (say, a PAM module) splits the provided value
into password and token and validates both.

EDIT: That's not to say that Schwab is doing it right (in the front-end,
seriously???), but just pointing it it's not as uncommon as you think.

~~~
jodrellblank
RADIUS backend to network equipment as well. Since RADIUS is old, it doesn't
have great password hash/encryption support (afaik), so you don't use it over
open networks already, and it's well entrenched / widely supported.

So have it with no encryption, and the back-end can pull the password and 2FA
code apart and verify both of them, for all kinds of systems which have only a
username/password prompt for logins.

------
tdalaa
Wow. Going on with your life as a C-level executive with this knowledge, as if
it's just all good, is just insane. I'm sure they're in the clear personally
now, but I can certainly see why they would wanna sell their company fast
after gaining this knowledge in 2010.

~~~
lisper
> I'm sure they're in the clear personally now

Don't be so sure. If they didn't disclose this to their buyers they are guilty
of fraud. The statute of limitations has probably run out (I don't know which
state has jurisdiction here), but delayed discovery rules may apply.

~~~
ballenf
I'm not so sure it's fraud for 2 reasons: 1) how easy it would/should be for
the buyer to discover the issue; 2) these transactions generally have very
detailed disclaimers / disclosure -- basically making them 'as-is'
transactions.

If I were a betting man, I'd bet the buyer knew about the issue and basically
didn't care.

~~~
dmix
Yet security researchers go to prison for iterating the ID numbers in a URL to
access private profile pages :/

This is negligent. If they are running banking ecommerce infrastructure and
are unable to deal with 101 security risks then it is absolutely negligent.
The "it is too complex for the average person" isn't an adequate defense.

The only thing is that there has to be someone who lost something of real
value for it to go to court as negligence does it not?

~~~
fulldecent
This is good thinking. But you need iron tight wording when spelling this
stuff out.

In your contact with companies you should say "Failing to fix this issue would
be a violation of reasonably assumed security practices as required in LAW..."

------
jwilk
Archived copy, which can be read without JS enabled:

[https://archive.fo/8ZpDJ](https://archive.fo/8ZpDJ)

~~~
fulldecent
Thank you and I am sorry that my blog has offended your browser. Would you
like to recommend a better hosting service I could use instead of the wildly
antiquated Blogger?

I would like to migrate to my own domain with Jekyll or something. But I would
not look forward to implementing commenting and trackbacks even though the
blog is pretty modest any way in terms of using those features.

~~~
jwilk
According to
[https://news.ycombinator.com/item?id=13355531](https://news.ycombinator.com/item?id=13355531)
, JS requirement is not a problem with Blogger per se, but with some of its
themes.

------
homakov
Exactly what happened to me with Starbucks
([https://sakurity.com/blog/2015/05/21/starbucks.html](https://sakurity.com/blog/2015/05/21/starbucks.html))
- threats, signing NDA, they disappear.

~~~
fulldecent
Thanks for sharing, I remember seeing this before. Fun to read again!

------
klapinat0r
> _if somebody sent you an email with that code (even if you never open the
> email)_

What is he trying to say here? How on earth would it be possible to execute
the url in the context of _your_ zecco cookies unless it's openend in a
(browser) in which you've logged into zecco?

~~~
xyzzy_plugh
I'm guessing if you used a popular web-based email service, or any browser
email client, then this would be possible.

~~~
klapinat0r
Possibly, but you'd still have to (try to) "render" it in your browser by
opening the mail.

On a similar note, your web mail could fetch images in emails ahead of time,
but that would still be out of your browser's context

~~~
degenerate
Remember...... 2008. Many people still had "auto download pictures" enabled in
their email.

------
galdosdi
Note to self: The right thing to do, if you find a serious vulnerability,
apparently, is consult an attorney. Geez, what a world.

~~~
Havoc
>Geez, what a world.

*America

------
exabrial
Sheesh... From a personal liability standpoint, better to just post these
things to the company anonymously. Give them the standard window (90 days)
then go public.

------
tlackemann
At least it was over http/s

Terrible nonetheless. Reminds me of how Mt. Gox used to hand out password
resets with plaintext passwords in the query string on their own forums.

~~~
stcredzero
_Reminds me of how Mt. Gox used to hand out password resets with plaintext
passwords in the query string on their own forums._

Sounds like somebody should write a book about all of the missteps in that
debacle.

------
noonespecial
The craziest thing is how hard they work to cover it up and not fix it vs how
blindingly easy it always seems that fixing it would be.

It's like circumnavigating the globe backwards in order to avoid using a
crosswalk.

------
brilliantcode
this is a major bombshell. I'd hate to be those guys running zecco. The fact
that they coerced an NDA to hide the millions of customer transactions that
now have no way of proving were legitimate or not.

I'm pretty sure the author wasn't the _only_ guy looking for vulnerability.
I'm pretty certain criminal minded folks would've already used it....with no
way of finding out which are real or manipulated.

Which further raises the question, why they would go to extreme length to
cover their tracks? They could've easily saved themselves trouble by coming
clean but because they've gone such great length to hide it and threaten
anyone who tries to expose it makes this a hollywood type story. That just
seems so over the top like they are protecting something much bigger.

~~~
justinclift
Worst case (?) scenario, they were abusing the system themselves or were being
pressured to allow others to do so.

It's unlikely, but my point is it's a hole in their system which would allow
this to happen and it seems like they've deliberately let it continue. :(

------
alexchamberlain
Nitpick: was this disclosed to a bank or a broker? Not sure it matters tbf

~~~
scott00
I believe you have picked an actual nit. He reported to Zecco (his actual
broker) and Penson (Zecco's clearing firm). Both were SEC-registered broker-
dealers at the time, neither were banks.

------
abalone
Serious question: Would the FBI actually come to your door if you went full
disclosure with a banking zero day? Is there real legal exposure here or was
that just bluster from Zecco/TradeKing?

~~~
fulldecent
Surely Raneri had no authority to speak for FBI.

BUT actually this vuln may have been from upstream with Penson. And then it
may affect many broker-dealers. They have many clients in US and Canada.
(Don't laugh that such a ridiculous vuln could be in so many places.)

At the time, considering this (and Penson was on the phone) I understood that
irresponsible disclosure could have serious consequences. FBI would have been
warranted to knock on my door.

That's why I'm now publishing 10 years after the fact.

------
mtempm
>if somebody sent you an email with that code (even if you never open the
email) then you would be the unwitting owner of one share of Krispy Kreme
Donuts

Pardon my ignorance, but how would this work?

~~~
grav
I felt ignorant first when reading it as well. But looking at the "FAQ" at the
bottom, it says:

"But this only affects people that are logged in, right? Yes ..."

So I suppose what happens is, that the user is already logged into the service
and thus has a cookie for the service in his browser.

If the user then somehow executes a request to the URL in the article with the
same browser (eg viewing a malicous email with the IMG tag in a webmail
client), the browser will enclose the cookie in the header of the request.
This makes the request automatically authenticated.

~~~
mtempm
>eg viewing a malicous email with the IMG tag in a webmail client

The article mentions it would occur even without opening the email.

~~~
palunon
Well, it is possible your email client is doing prefetching. I wouldn't rate
it as probable, since you're unlikely to have a client with the same cookies
than your web browser, but still.

You could also abuse Firefox and Chrome prefetching links. I'm not sure Gmail
for example remove prefetching attributes in spam links. They do block images
though.

~~~
mtempm
Good point.

Anyways, how would it work with the server receiving any data from the client
just by viewing the link in your browser?

------
whataretensors
I would not be surprised if this turns into a class action lawsuit. The
negligence here is remarkable.

~~~
brianwawok
You need damages to have a class action lawsuit. What are your damages?

I am not saying no one has damages, but if 100s of people had damages, I
expect something would have happened...

~~~
idbehold
Couldn't anyone who lost money on a stock be able to claim damages? How would
the bank prove the purchase order was legitimate seeing as there's basically
no security around the endpoint and the bank knew it?

~~~
bdonlan
The bank may be able to demonstrate that the vulnerability was not exploited
by, e.g., showing that the order preview page was first loaded with the same
parameters, or showing a same domain referer.

~~~
idbehold
Maybe the bank should've used this method to prevent the problem in the first
place by just checking that the referer request header was from their domain.

~~~
brianwawok
Is it proven anywhere that it wasn't?

~~~
lightbyte
The article mentions that unauthorized transactions were indistinguishable
from legit ones:

>Also their engineers made it clear that unauthorized transactions like this
and later shown below would not be distinguishable from other legitemate
transactions.

------
tjpnz
A strong argument can be made against revealing your name when disclosing
information like this - especially if you're dealing with banks (often
litigious and technically illiterate) and even more so if you're in the United
States. If I was the OP I would've found a way of reporting this information
to the bank anonymously. Possibly followed up with a promise of media
disclosure if not fixed in a timely manner.

------
dvcc
Would he not have a case of gross negligence against Zecco if he were a
customer? Is there something preventing a lawsuit, outside of the possibly
non-binding NDA?

~~~
scott00
No damages, assuming no unauthorized trades were executed in his account as a
result of the unpatched vulnerability.

~~~
idbehold
Couldn't he simply claim unauthorized trades were executed? How would the bank
be able to prove otherwise? Especially considering the bank knew about this
huge security hole.

~~~
PeterisP
In order to do so, he would have to actually declare a claim that a particular
trade was unauthorised. Assuming that he actually _did_ execute all his trades
himself (which, frankly, is quite likely), making that claim in court would be
a crime (perjury + fraud), a much serious issue than the security
vulnerability.

With sufficient preparation it's likely, that the bank (and prosecutors)
wouldn't be able to prove that crime beyond all reasonable doubt, and he
wouldn't be convicted for it, but it still carries a risk that they could
prove that (e.g. by forensic analysis of his computer) and he'd go to jail.

Furthermore, even if he manages to prevail in the criminal case, in the civil
case (where the criteria is less strict) it is quite likely that after
reviewing all possible evidence they'll manage to get to the correct judgement
that the "unauthorised trades" claim was false, thus not getting him anything
anyway.

~~~
idbehold
How is the bank able to get to get the correct judgement in the civil case?
There's proof the bank knew about the security hole, there is proof that at
least one person outside of the employment of the bank had discovered this
vulnerability (meaning there were likely more), and there is no way for the
bank to prove that the transactions were legitimate. The article mentions that
unauthorized transactions were indistinguishable from legit ones:

> Also their engineers made it clear that unauthorized transactions like this
> and later shown below would not be distinguishable from other legitimate
> transactions.

~~~
PeterisP
For starters, all the details on how that particular transaction was
performed, timestamps, IP addresses, all the browser fingerprints visible in
the logs of that request (they tend to be quite identifying), subpoenaed logs
from the claimant's ISP.

They don't have to prove that it couldn't have been someone else, they have to
convince the court that it's more likely than not. Motive matters a lot - if
there's some way how that transaction would have been useful for a fraudster
(i.e. if it was a money transfer to them), then it's one thing; but if there's
no indication of why someone else would want to make the fraudulent trade
(which is the case for most stock purchases/sells) and a clear motive why the
claimant would want the trade to be reversed (i.e. the stock buy seemed good
on that day but turned out to be bad afterwards) then if there's any technical
evidence whatsoever pointing towards the claimant, it's hard to be convinced.

If data shows that the transaction is e.g. done from some Starbucks and local
security cameras show the claimant near that Starbucks at that time, it's
probably not enough to get a conviction but likely enough to make them lose
the civil claim.

The criminal case would be expected to get much more evidence than an ordinary
civil claim, so they'd likely wait for its results and use everything that the
police/prosecutors gathered to dismiss their civil claim.

~~~
idbehold
> For starters, all the details on how that particular transaction was
> performed, timestamps, IP addresses, all the browser fingerprints visible in
> the logs of that request (they tend to be quite identifying), subpoenaed
> logs from the claimant's ISP.

Again, the IP address would obviously be associated with him and the browser
because that's how the vulnerability works. The attacker just has to get the
victim to visit any website with a browser which has the cookies for the bank.
So proving that the user's browser/machine/IP made the request does nothing to
show that the user did so intentionally.

> Motive matters a lot - if there's some way how that transaction would have
> been useful for a fraudster (i.e. if it was a money transfer to them), then
> it's one thing; but if there's no indication of why someone else would want
> to make the fraudulent trade (which is the case for most stock
> purchases/sells) and a clear motive why the claimant would want the trade to
> be reversed (i.e. the stock buy seemed good on that day but turned out to be
> bad afterwards) then if there's any technical evidence whatsoever pointing
> towards the claimant, it's hard to be convinced.

It doesn't have to be done by a fraudster. The motive for the attacker could
simply be to fuck with people. They don't gain anything but satisfaction from
the fact that they were able to successfully exploit this vulnerability.

~~~
PeterisP
The attack would leave traces. Timestamps would show when exactly the request
was made, ISP logs or data from the claimants computer would show other
requests in the same seconds (i.e. wherever the victim got served the
malicious link); Sending the img link by email would be visible in that email;
getting the user to view a malicious post on some webpage/forum/etc is likely
to leave evidence there.

In general, you make good points, they are believable and likely would be made
if such a court case happened. In the absence of hard evidence, if they seem
slightly more believable than whatever story the company presents, the
claimant would win; if they seem slightly less believable, the claimant would
lose. In a civil claim, the company needs to prove that it was authorised only
just as much as the claimant needs to prove that it was not, it's a somewhat
symmetric contest - simply claiming "I didn't authorise it" is effectively
countered by claiming "Yes you did", and simply moves the discussion on to
further investigation.

The motive _could_ be just a prankster messing with people, but it's a lot
less convincing motive than an obvious benefit. If the transaction is one
where you clearly lose money and someone (possibly anonymous) gains it, it's
easy to make the case that you were hacked. But, for example, if the claimant
had previously unsuccessfully complained to the company about the theoretical
possibility of such vulnerability, and _then_ complained that a seemingly
random transaction is unauthorized, I'm fairly sure that any decent lawyer
would successfully convince the court that "a prankster did it" is comparable
to "the dog ate my homework" and it's a bit more likely that they orchestrated
the claim themselves to mess with the company. Getting 51% of belief is
preponderance of evidence, and sufficient in a civil trial.

And in any case, all this wouldn't be "simply claim" \- seriously making such
a claim would require a significant investment of time and money from the
claimant. It's not something most people would do for fun. Some would do it to
make a point, but that's quite a niche hobby.

~~~
bloaf
Do ISP's keep detailed logs as far back as 2005?

~~~
PeterisP
Nope, but if you reported that you just noticed a fake stock deal made 12
years ago on an account that you actively use, you'd have an uphill battle
proving that it really was unauthorised, and the lack of logs would only make
it harder for you.

------
fixxer
Ugh, I hate hearing about crap like this. Unfortunately, the incentives at
large, public, consumer-facing companies always drives this behavior.

I would have done the following:

1\. Shut down my account. 2\. Send the exploit to the company anonymously with
a deadline to fix. 3\. Upon deadline, post exploit and cc the company.

The inability to publish is a rub, but I think we need a cultural shift to
drive back corporate idiocy and protect consumers.

------
pmiller2
Seems to me that given the way it's likely to be received, the proper way to
disclose a vulnerability like this is anonymously, through a lawyer.

------
alkonaut
I'm not quite following the timeline: why did he end up under an NDA and the
too-long wait to get it fixed? Why not say "I'm publishing this on my blog in
30 days so it better be fixed by then"? Would you risk getting in legal
trouble for publishing a way to do bank fraud (for example) - assuming you
gave some reasonable timeframe for disclosure?

~~~
alexbecker
> Would you risk getting in legal trouble for publishing a way to do bank
> fraud (for example) - assuming you gave some reasonable timeframe for
> disclosure?

Of course you would. The bank would call the FBI and tell them you're hacking
the bank, and the FBI would then knock down your door, tear up your house and
drag you away. The system would then do everything it could to represent what
you did as a crime, and if you are lucky you get away with only a year in
court, many thousands in debt and your name dragged through the mud.

tl;dr The actual legality of an action is only tangentially related to how the
legal system will be used against you in response to it.

~~~
alkonaut
So basically what's needed is a place to send these notices anonymously and a
place to anonymously publish the exploit after responsible disclosure - at
least for countries where legislation works like you describe.

I still hope this is not the case in most places outside the US - that is, I
hope the responsible disclosure is complete proof you are in fact _not_
hacking anyone.

------
hartator
Kudos for the balls to come public despite NDA.

~~~
Spoom
Many are questioning the validity of that NDA in an earlier comment due to its
complete lack of consideration.

------
kelvin0
Just to be clear I also find it appalling that any important institution would
take their time in fixing such a simple exploit.

But it seems the reason why these cases don't get resolved quickly is purely
for economic reasons: the perceived cost of fixing the issue seems (to them)
is far greater than the cost of dealing with the (remote?) possibility of the
exploitation of the vulnerability.

I also think the security researchers have an 'overgrown' sense of the urgency
upon having discovered such exploits, and it never seems to get fixed fast
enough from their point of view.

But understanding the forces that are at play, also helps understanding such
an 'irrational' decision. Big institutions are not known to be proactive and
the political climate in such environments does not incentive the 'doers' but
does get people in panic mode to try to stop the leak, instead of the root
cause (the exploit).

~~~
fulldecent
YES. Many authors love to write more than the readers love to read them.

FIRST, be reasonable. This is a good life axiom. Don't expect a large
organization to confirm, engineer, test certify, and deploy a change that
requires external documentation in less than 14 days. Even if the ship's on
fire.

SECOND, be valuable. If you are reporting a vuln that is a bug report. When's
the last time you got thanked for /any/ buy report for a non-GitHub project?
If your report explains the cost and liability for lawsuit if they fail to fix
your reported vuln then you are speaking their language.

\---

I have a confirmed vuln reported to Apple under their "responsible disclosure"
program since 2015. They have yet to fix it or provide credit as they
promised. If you thought Apple was a magic company that "does the right
thing", then I hope this dispels that myth.

------
jacquesm
That's a lot of errors for one document.

~~~
komali2
I'm also kinda curious why the author didn't run through a simple spell
checker before posting. I'm grateful for the article, it was an interesting
read, but really why not just paste into google docs real quick or something?

~~~
LanceH
Maybe his editor is on leave.

------
jvdh
Things have progressed quite a bit since 2008 fortunately. Vulnerability
disclosures have become much more acceptable, and are handled in a much better
way.

Lots more information about disclosure:

* [https://www.ee.oulu.fi/research/ouspg/Disclosure_tracking](https://www.ee.oulu.fi/research/ouspg/Disclosure_tracking)

* [https://www.ntia.doc.gov/blog/2016/improving-cybersecurity-t...](https://www.ntia.doc.gov/blog/2016/improving-cybersecurity-through-enhanced-vulnerability-disclosure)

* [https://www.thegfce.com/initiatives/r/responsible-disclosure...](https://www.thegfce.com/initiatives/r/responsible-disclosure-initiative-ethical-hacking)

------
komali2
Why did the author post in 2017, so long after? He said in early conversations
he was going to go public much sooner.

~~~
wyldfire
He was afraid that he was bound by the NDA not to disclose it.

Now, in 2017, he flouts the NDA and acts in the public interest.

~~~
idbehold
But why now? What changed?

~~~
ComodoHacker
Perhaps author gained some age and wits.

------
3JPLW
Surely one acquisition and 9 years later this isn't still an open
vulnerability… right? It'd be nice if the author discussed that.

~~~
fulldecent
I have closed my account and do not know the answer. Also, please if someone
would be able to confirm in the affirmative in this or any other Penson site,
then please start a new round of responsible disclosure.

------
patmcguire
> October 2008

This may be a lot of it. In October 2008, a massive security breach affecting
all accounts was maybe a solid #2 on their list of problems.

~~~
fulldecent
Very nice LOL here.

------
mathattack
Palo Alto's school district just got hit by similar.

[https://www.paloaltoonline.com/news/2017/04/20/pausd-
student...](https://www.paloaltoonline.com/news/2017/04/20/pausd-student-data-
exposed-in-data-breach)

------
konceptz
I think that an important point in this vulnerability is that it does not
violate the CFAA. From my, albeit limited, understanding of the CFAA, it
requires access breach.

Imagine this conversation were the user to have discovered a parameter which
let the user execute trades on behalf of another user.

~~~
PeterisP
This vulnerability does allow to execute trades on behalf of another user.

For example, a realistic exploit would be to slowly buy up a bunch of a random
penny stock; and then post an image link to some forum frequented by users of
that software with the order "buy 10000 units of stock_x, okthxbye". The order
will be executed by users viewing that forum and will bump up the price as you
dump it.

------
a3n
> What Happens When You Send a Zero-Day to a Bank?

The police rappel down the sides of your house in full gear and shoot your
dog.

Or, per the article, the company pressures you to sign an NDA, and mentions
"FBI" to instill fear of rappelling.

------
walrus01
I recently dropped a credit union because they can't be bothered to secure
their mobile app (in the official google play store!) to use anything better
than TLS1.0.

TLS1.2 and proper crypto schemes should be mandatory at this point.

~~~
web007
They were going to be required by 2016, but then PCI-DSS decided to give
companies an extra 2 years to implement the changes.

[https://cdn2.hubspot.net/hubfs/281302/Resources/Migrating_fr...](https://cdn2.hubspot.net/hubfs/281302/Resources/Migrating_from_SSL_and_Early_TLS_-v12.pdf)

------
anon263626
Mudge at DefCon IIRC had a good point about MIC contractors having
Intellectual Property repeatedly stolen, govt gives more money each time and
disincentives to root-cause analysis and patching vulns/0days.

------
mkagenius
Were cookies shared across sites in 2008? It seems pretty odd..

~~~
fenwick67
Images are loaded with the cookies of their own site. Example: go to
google.com, then open the console and type the following:

var i = document.createElement('img');

i.src=
"[http://news.ycombinator.com/y18.gif";](http://news.ycombinator.com/y18.gif";)

Then look at the cookies sent over the network.

~~~
artursapek
This is how FB & others track everyone on the web through ad frames, like
buttons, etc.

~~~
hoschicz
Do they get info about from which page they got requested when one includes
just an image?

~~~
uiri
Yes, it is passed along through the Referer (sic) header.

------
emmelaich
With some hindsight perhaps the Term of the NDA could have been improved by
adding 'until ten years have passed'

Is that a common element of an NDA's term?

------
samplonius
When you submit a zero day to a bank, maybe let us know. I this case, you
submitted a zero-day to a trader-broker, not a bank.

------
briankwest
Or they call the FBI and bust your ass and you have to file bankruptcy and get
probation.

------
tomrod
What bank or financial firm has 100k branches? That's a HUGE presence.

~~~
fulldecent
Penson created the system that multiple brokers use for multiple branches.

I cannot verify that number but I am quoting it from a phone call with a
Penson engineer.

------
campuscodi
Hasn't this guy ever heard of CERT?

------
stefek99
Balls. Made of steel.

------
bluetwo
Well, good luck.

------
lr4444lr
_What about XFRS, CORS protection, …? This was 2008. We still had the <blink>
tag back then._

Heh.

