Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: RE: .NET Passport: WALLET SERVICE

RE: .NET Passport: WALLET SERVICE

From: Marc Slemko <marcs_at_znep.com>
Date: Tue, 13 Nov 2001 14:00:13 -0800 (PST)

On Tue, 13 Nov 2001, http-equiv_at_excite.com wrote:

> Interesting project, and well understood. However, it seems that the problem
> in this case is actually the .NET Passport toy wallet thing.
>
> If you entertain an online purchase, you go "shopping" and "add to basket"
> etc. You would then go to the "checkout". When you arrive at the "checkout",
> you are met with blank forms which you are expected to fill out (name,
> shipping address, credit card info etc.). Obviously at this time, if you
> rooted around the browser temp file and retrieved this page, the forms will
> be blank and nothing sensitive to revealed. You would then fill in the forms
> with the data and fire away. Hopefully, as you indicate, the data would be
> 'POSTED' and that's the end of that.
>
> But
>
> The wallet gimmick automatically fills in the forms with your sensitive
> data, so one you arrive at the "checkout" the forms are filled in, the
> entire filled in page rendered and cached, and if you root around the
> browser temp file and retrieved the page, obbviously the entire page with
> filled in forms are there for all to see.

No, it isn't fair to say this is a hole with Passport Wallet. The
exact same thing can happen under "normal" circumstances on many
sites if you fill out some of the information on the form incorrectly,
etc. and the server redisplays the form, with filled out information,
and prompts you to correct the incorrect info.

The real question is why is the browser saving the page to disk.
This likely amounts to an interaction between the cache control
directives that the browser (IE in this case, I guess) listens to
and what the server sends. You also suggested that it happens even
when you select "do not save encrypted pages to disk" in IE; if
so, that would seem to be a bug in IE.

The point is there are more cases where caching pages to disk can result
in sensitive information being saved than this, and the website/browser
combination needs to deal with them regardless of if Passport Wallet is
in the picture or not. Passport Wallet just makes it a little more
important to deal with it.
Received on Nov 13 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]