Schwab Admits To A "Small" Security Hole

Online brokerage Charles Schwab Corp.
has reportedly confirmed its Web trading site was
vulnerable to a security flaw that could allow an intruder to
hijack subscribers' accounts, but insisted the risk was small
and that no accounts had been illegally accessed.

The revelation makes Schwab the second online brokerage to
uncover the flaw after E-Trade Group did so last
month. Schwab oversees some $420 billion in online transactions,
listing 4.2 million active trading accounts, according to a
Reuters report, which added that the company stated it has
implemented temporary security measures and hopes to install a
permanent fix by year's end.

The bug, known as cross-site scripting, allows private
information such as passwords and bank account numbers, often
stored in the users' Web browsers as cookies, to be rerouted to
a hacker's e-mail address or Web site. Cross-site scripting is a
well-known problem in the security community, Reuters said, but
experts insist there have yet been no known attacks on Web
sites, and that any hacker who actually gained access to a
Schwab account would be able to perform most functions, but, due
to extra security measures, would be unable to actually withdraw
money.