(Fwd) SECURITY ALERT: Password protection bug in Netscape 2.0b
Haven't had time to test this myself. Peter Trei ------- Forwarded Message Follows ------- Date: Mon, 18 Dec 95 17:18:28 From: <lstein@genome.wi.mit.edu> Subject: SECURITY ALERT: Password protection bug in Netscape 2.0b3 To: www-security@ns2.rutgers.edu, jcarroll@redman.canada.dg.com Cc: tara@linkage.cpmc.columbia.edu A potentially serious bug has just come to my attention concerning the handling of password-protected pages accessed via Netscape 2.0b3. Apparently when you type in the password to access a protected document Netscape stores the password in a local hidden file (in one of the .db files created in the .netscape directory on UNIX systems, and in the Netscape Preferences file on Macintoshes). This password is then used for accessing the document during subsequent accesses. The problem is that Netscape does not delete the stored password when the program quits. The problem has been reproduced on Unix and Macintosh platforms. I haven't tried the Windows implementation yet, but I suspect the same problem exists. This leads to the following behavior: 1) Open up Netscape and access a password-protected document. 2) Quit Netscape 3) Start Netscape again and try to retrieve the document. When the password-entry dialog comes up, click "Cancel". 4) Try to access the document a second time. Now Netscape lets you in without asking for the password! On Unix systems, this means that if you go over to a associate's machine to show him a protected document, Netscape will record your typed in password for posterity. Your associate now has full access to this page. The situation is particularly dangerous on PCs in a shared "computer lab" environment. Everybody who uses Netscape unwittingly makes his passwords available to all other users. Please let me know if anyone finds out more about this problem. I'm going to add it to the WWW security FAQ. Lincoln ======================================================================== Lincoln Stein, M.D.,Ph.D. lstein@genome.wi.mit.edu Director: Informatics Core MIT Genome Center (617) 252-1916 Whitehead Institute for Biomedical Research (617) 252-1902 FAX One Kendall Square Cambridge, MA 02139 =================http://www-genome.wi.mit.edu/~lstein====================
Except for the bit about the file not being deleted after quitting Netscape (which is Bad), this is old news. This is why security-conscious sites like banking.wellsfargo.com ask for passwords in an SSL-encrypted form rather than via simple browser authentication. Even if Netscape did delete the "password cache," anyone with physical access to your machine could still recover it from disk. I believe that Microsoft Internet Explorer and other browsers derived from Mosaic do the same thing. Netscape et al know that simple browser authentication is of limited usefulness, which is why we keep trying to commit them to DCE. -rich
This report is mostly bogus. Netscape does not, and never has stored http auth passwords in files on your disk. However we do cache documents from servers that use http auth. In this case the user had their preferences set to check the host site for updated content "once per session". There is a bug, which we are fixing before 2.0 ships, that if the auth fails the document should be removed from the cache but was not. If the user had set their cache checking to "never", then if the document is in the cache, it will always be shown to the user, since no connection is made to the server. Content providers who don't want their web pages cached should use the 'Pragma: no-cache' http header. This will tell the navigator to not save the document in the disk cache. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
participants (3)
-
Jeff Weinstein -
Peter Trei -
Rich Graves