First of all, if someone can access your registry files via a javascript, you have worse problems to deal with. The storing of the mail password in the registry was mentioned in a post of mine that can be found at: http://geek-girl.com/bugtraq/1998_4/0344.html The password is *still* in the registry after you close netscape, keeping netscape open is not required. If they could access your registry files to begin with, why not save the trouble of digging it out and just snag prefs.js / preferences.js? Anyways, my 2 cents.. -HD Haze wrote: > > When you go into Netscape Messenger and check your mail, the software > stores the password you used in the registry and encrypts it. It remains > there for as long as netscape is open. The login and password is kept > in: > HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\biff\users\ > username(varies)\servers\<mail server> [ -- snipped -- ] > javascript code to read his local registry files and retrieve his mail > server login(unencrypted), encrypted password, and his mail server. Well > then the cracker could perform a brute force crack on the encryption and > attempt to gain access to the Regular Joe A's ISP and/or pop3 e-mail > account...
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:35:19 PDT