No Subject

Lucky Green shamrock at netcom.com
Sun Mar 31 05:05:13 PST 1996


Yes, Netscape caches passwords.

--- begin forwarded text

From: support at sfnb.com
Date: Fri, 29 Mar 96 17:27:02 -0500
Sender: <support at sfnb.com>
Apparently-To: bankusers at sfnb.com

Dear Security First customer:

With the release of Netscape Navigator 2.0, Netscape enhanced their
caching mechanism to improve the browser's performance.  As a result
of this enhancement, the Navigator was storing Security First username
and password information when entered in cleartext on a customer's
local hard drive in a file called fat.db.  Therefore, if a
knowledgeable and malicious person had access to a Security First
customer's computer, they could have potentially stolen that customer's
username and password.  To our knowledge, this vulnerability was NOT
exploited by anyone.

We were made aware of this fact in an e-mail to the bank from Lucky
Green, a frequent contributor to the cypherpunks mailing list.
Immediately upon learning of this situation, Five Paces engineers
worked closely with Netscape engineers and fixed the problem.  To
prevent caching of the username and password, we changed the login
script to include "pragma: no-cache" in the http header.  This
command instructs the browser not to cache any information from this
page on the local hard drive.

Please note this was not specific to Security First.  Any Web site
that requests a username and password in an onscreen form is
potentially vulnerable to this cleartext caching if the "pragma:
no-cache" header is not used.

In order to ensure that your username and password have been cleared
from your cache, bank customers should go to the Options dropdown
menu in the Navigator, and select Network, then Cache, and then click
on the "Clear Disk Cache Now" button.  We know that software involving
Internet commerce is changing at a rapid pace, and we will continue
to monitor all changes that might affect our customers.

We would like to thank Lucky and also Jeff Weinstein of Netscape for
bringing this to our attention.  The Internet community benefits when
we all work together to make it a better network.

If you have any questions, please do not hesitate to e-mail me at
karlin at sfnb.com, or our customer service staff at support at sfnb.com.

Sincerely,

Michael Karlin
President & COO
Security First Network Bank

================================================================
Michael S. Karlin                    Security First Network Bank
2957 Clairmont Road                  404.679.3201
Suite 280                            404.679.3210 Fax
Atlanta, GA  30329                   karlin at sfnb.com

--- end forwarded text


-- Lucky Green <mailto:shamrock at netcom.com>
   PGP encrypted mail preferred.








More information about the cypherpunks-legacy mailing list