Home page logo
/

bugtraq logo Bugtraq mailing list archives

More Netscape Passwords Available.
From: robert.e.jones () CWO COM AU (Rob Jones)
Date: Wed, 22 Dec 1999 14:58:52 +1100


Netscape 4.7 stores passwords in preferences.js even
if you never ever even once tell it 'remember passwords',
and even if its a fresh install of 4.7 (the solaris install I tested
on has never seen any other version of Netscape).

I thought I was loosing it with people pointing out that this didnt work
when I thought it did but I've done my howework thistime and
this bug does definitely affect

    Solaris 2.5 Netscape 4.7
    Redhat Linux 6.0 Netscape 4.7

However it only stores them in the file from the time you log onto
your mail server to the time you quite and close all netscape windows.

Obviously this isnt as bad as it could be but it does mean there is a
window of opportunity for a hacker to grab your password
from this file. Like sending you a mail, saying check out this attachment.
You will have had to type in your password (its then in the file), and
the application you run can grab your password .... The rest is obvious.

Rob

P.S. This was tested with an IMAP rather than POP server, but I doubt
if its any different.

P.P.S. No I've not contacted Netscape yet. If anyone thinks they would
change this then please email them. I've havent got time because I
leave this job (peranantly, not just for christmas) on Friday and
I have too much to do before then to find the right  person to contact.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]