Home page logo
/

bugtraq logo Bugtraq mailing list archives

Security flaw in IBM Client Security Password Manager
From: Luís Miguel Silva <lms () ispgaya pt>
Date: Tue, 3 Oct 2006 01:56:23 +0100

Hello all,

I recently found a security flaw in the design of the IBM Client Security
Password Manager (an application used to authenticate application forms using
fingerprints).

It came to my attention that the application only recognized my e-bank site and
authed against it if i had just created a profile. If i closed the browser and
opened a new one, the IBM Password Manager wouldn''t recognize the e-bank site.

I figured that the password manager mapped its profiles against the "window
name" property of the application.

In this case, the problem was that the bank dynamically changed the window title
to the current date.

Since the IBM Client Security Password Manager authenticates by mapping the
window title information, a malicious user could trick another user into
sending his credentials (by phishing, xss or by other simple methods...)

This is very easy to test:
a) using the IBM Client Security Password Manager, create a new profile for a
site with a static title (for instance, Horde webmail)
b) create a new site with the same window title and host it *anywhere you like*
c) go to that site and authenticate against it with the IBM Client Security
Password Manager application.

If you are using Horde (a portuguese version) you can test it in this page:
http://lms.ispgaya.pt/goodies/ibm/

It is actually ironic that, since the IBM application works this way, a user is
better off using the browsers builtin password manager (since it would detect
that the site isn''t safe / recognized).

Best regards,
+----------------------------------------
| Luís Miguel Ferreira da Silva
| Network Administrator @ISPGaya
| Instituto Superior Politécnico Gaya
| Rua António Rodrigues da Rocha, 291/341
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Tel: +351 223745730/3/5
| GSM: +351 912671471 +351 936371253
+----------------------------------------

----------------------------------------------------------------
Este email foi enviado via o webmail do ISPGaya
Instituto Superior Politécnico Gaya

Attachment: _bin
Description: PGP Public Key


  By Date           By Thread  

Current thread:
  • Security flaw in IBM Client Security Password Manager Luís Miguel Silva (Oct 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault