Re: IE5 Feature/security hole

From: Eilon Lipton (yoeat_private)
Date: Thu Mar 25 1999 - 19:15:54 PST

Next message: /usr/libexec/telnetd: "Re: X11R6 NetBSD Security Problem"

Previous message: Jim Reavis: "Re: IE5 - same vulnerabilities, only some fixed"
Maybe in reply to: Anthony Pijerov: "IE5 Feature/security hole"
Next in thread: Juha Jäykkä: "Re: IE5 Feature/security hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To remove an item from the drop-down lists that appear, highlight the option
and press the Delete key. It will then be removed from the list permanently.
Password fields are never stored in such a way. The only time passwords are
stored is when you enter a username/password combination and it asks you the
first time if you wish to store it or not. This is true for both web-based
forms, and HTTP security (where a dialog box pops open asking you the
username and password).
According to Microsoft, the database (call it what you like) where all this
information is stored is encrypted, so you cannot just go to a random
machine and grab all the data - you must go to a form that has the proper
field names in order to get the information.


Eilon Lipton
ejliptonat_private
yoeat_private


> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of Anthony
> Pijerov
> Sent: Wednesday, March 24, 1999 4:04 PM
> To: BUGTRAQat_private
> Subject: IE5 Feature/security hole
>
>
> In Internet Explorer 5, there is a feature, that remembers what you type
> into web page forms, so that if you ever come to enter that field again,
> it will drop down a box of your previous inputs.
> (Note, the first time you come to a form, it will ask you wether or not
> you want to enable this function, and you can say no)
>
> Good feature? Perhaps, it could be time saving, when say, having to type
> in your name on a form everytime.
>
> Security Hole? Yes.  Credit Card Numbers, social security numbers,
> usernames, addresses.  It will drop down a box with previous entered data.
> So if you say have a web site were you order stuff online, or entered some
> sort of data to verify yourself, the next person to use your computer can
> go to that same site, and have a nice list of what you typed.  At a home
> computer the risk is limited to who you let use your computer, but at
> things like schools, or other areas where many people share the same
> computer, this could become a security/privacy problem.  I verified it
> does work with Credit Card numbers on secure sites. I tested on CDNow and
> amazon.com (pretty popular sites to enter CC info).
>
>
> I think this feature is one that everyone needs to know to make sure is
> OFF.
>
> ------------------------------------------------------------------
> ---------
> Anthony Pijerov                      Customer Support: 452-1465
> ajpat_private                   or 1-888-223-INET
> Customer Support Rep.                http://www.global2000.net
> ------------------------------------------------------------------
> ----------
>

Next message: /usr/libexec/telnetd: "Re: X11R6 NetBSD Security Problem"
Previous message: Jim Reavis: "Re: IE5 - same vulnerabilities, only some fixed"
Maybe in reply to: Anthony Pijerov: "IE5 Feature/security hole"
Next in thread: Juha Jäykkä: "Re: IE5 Feature/security hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:40:16 PDT