Charles Schwab & Co.'s Web site is vulnerable to a well-known attack that could allow a hacker to gain access to sensitive account information, the financial services company acknowledged Wednesday. Reported by San Francisco-based programmer Jeff Baker on the Bugtraq security . . .
Charles Schwab & Co.'s Web site is vulnerable to a well-known attack that could allow a hacker to gain access to sensitive account information, the financial services company acknowledged Wednesday. Reported by San Francisco-based programmer Jeff Baker on the Bugtraq security mailing list on Wednesday, the vulnerability involves "cross-site scripting." The vulnerability, which uses popular Web programming languages such as JavaScript to hijack a customer's Web browser, is similar to one acknowledged by E*Trade Group Inc. (Nasdaq: EGRP) in September.

By exploiting the vulnerability, "malicious users can fool other users' Web clients...which allows them to do things such as stealing that client/server's cookies," Elias Levy, Bugtraq's moderator and the chief technology officer of SecurityFocus.com, wrote in an advisory. Calling the vulnerability a "common flaw," Levy blamed the problem in part on "the lack of good practices by programmers of Web-based applications."

The link for this article located at ZDNet is no longer available.