4609820 1999-12-22 19:58 /88 rader/ Postmaster Mottagare: Bugtraq (import) <8995> Ärende: More Netscape Passwords Available. ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM X-Accept-Language: en MIME-Version: 1.0 Content-Type: multipart/alternative boundary="------------DEDED72A44B2CEF304F6075F" Message-ID: <38604C7C.75E16D88@cwo.com.au> Date: Wed, 22 Dec 1999 14:58:52 +1100 Reply-To: Rob Jones <robert.e.jones@CWO.COM.AU> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Rob Jones <robert.e.jones@CWO.COM.AU> X-To: BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM --------------DEDED72A44B2CEF304F6075F Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Netscape 4.7 stores passwords in preferences.js even if you never ever even once tell it 'remember passwords', and even if its a fresh install of 4.7 (the solaris install I tested on has never seen any other version of Netscape). I thought I was loosing it with people pointing out that this didnt work when I thought it did but I've done my howework thistime and this bug does definitely affect Solaris 2.5 Netscape 4.7 Redhat Linux 6.0 Netscape 4.7 However it only stores them in the file from the time you log onto your mail server to the time you quite and close all netscape windows. Obviously this isnt as bad as it could be but it does mean there is a window of opportunity for a hacker to grab your password from this file. Like sending you a mail, saying check out this attachment. You will have had to type in your password (its then in the file), and the application you run can grab your password .... The rest is obvious. Rob P.S. This was tested with an IMAP rather than POP server, but I doubt if its any different. P.P.S. No I've not contacted Netscape yet. If anyone thinks they would change this then please email them. I've havent got time because I leave this job (peranantly, not just for christmas) on Friday and I have too much to do before then to find the right person to contact. --------------DEDED72A44B2CEF304F6075F Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> Netscape <b>4.7 </b>stores passwords in preferences.js even <br>if you never ever even once tell it 'remember passwords', <br>and even if its a fresh install of 4.7 (the solaris install I tested <br>on has never seen any other version of Netscape). <p>I thought I was loosing it with people pointing out that this didnt work <br>when I thought it did but I've done my howework thistime and <br>this bug does definitely affect <p> Solaris 2.5 Netscape 4.7 <br> Redhat Linux 6.0 Netscape 4.7 <p>However it only stores them in the file from the time you log onto <br>your mail server to the time you quite and close all netscape windows. <p>Obviously this isnt as bad as it could be but it does mean there is a <br>window of opportunity for a hacker to grab your password <br>from this file. Like sending you a mail, saying check out this attachment. <br>You will have had to type in your password (its then in the file), and <br>the application you run can grab your password .... The rest is obvious. <p>Rob <p>P.S. This was tested with an IMAP rather than POP server, but I doubt <br>if its any different. <p>P.P.S. No I've not contacted Netscape yet. If anyone thinks they would <br>change this then please email them. I've havent got time because I <br>leave this job (peranantly, not just for christmas) on Friday and <br>I have too much to do before then to find the right person to contact. <br> </html> --------------DEDED72A44B2CEF304F6075F-- (4609820) ------------------------------------------(Ombruten)