Late last year on a Friday evening I discovered that logging into our Schwab.com account got lots easier. It was possible to log in without a username and password. Wow, what a vulnerability! Here is the story.
Not expecting this labor-saving bonanza I hadn’t recorded screen shots. Some detail was recovered from browser history and my recollection of an unusual prompt. I called the toll free number an pleaded for nearly an hour repeating to each new call taker “This is a major Schwab network vulnerability.
Connect me to your security operations center. I really need to tell you about a serious login vulnerability”
Finally I got someone who actually understood that being able to log in without a password might be a problem. They put me on hold a long hold and came back only saying “we are aware of the problem and working on it”.
After hanging up I went through the process again grabbing screen shots to show the issue (one is above). On Monday morning I decided to attempt getting to intelligent life with another phone call. This call was slightly more productive. They said that I could send the details to email@example.com. My email briefly explained:
…I was about to login at Schwab.com when Chrome got redirected BEFORE ENTERING LOGIN AND PASSWORD. I was prompted to enter a token value, after doing that I was logged in to my account! I have not cached login info in the browser and …
No acknowledgment, no response — on the next Friday evening it looked like the root of the problem was still in place.
My next step was to move 90% of our funds from Schwab. No response to this either.
The lesson illustrated here is that a deaf incident response team will have difficulty discovering vulnerabilities. It’s been a respectable 6 months since their problem was discovered, now it’s time to warn others.