Hello Thomas, --Wednesday, June 06, 2001, 8:36:39 PM, you wrote to bugtraqat_private: TC> On Tue, 5 Jun 2001, 3APA3A wrote: Risk : Low TC> This does not seem like a real issue to me, and it certainly TC> does not qualify as an exploit. This information would seem Yes, as I wrote in advisory I really threat this problem as security related only in conjunction with others. Example is quote from Netscape security notes: http://home.netscape.com/security/notes/index.html "JavaScript Cookie Exploit - An exploit was reported for Netscape Communicator 4.72 and earlier in which a hostile site can read the links in a user's bookmark file and some attributes of HTML files if the user's profile name and the Communicator installation directory path are known to the hostile site". Now, you can know user's profile name and installation directory and can launch attack automatically by e-mail. E-mail message can "call back" "hostile site" with information on user's profile. I don't believe this is the only exploit of this kind. If you still think it's not security issue - well, you're right :) TC> useful only if we believed that security through obscurity had TC> merit. Compound this with the fact that most people are not even TC> trying to hide their user account names, and that Netscape mail TC> locations are typically standardized in default directories TC> anyway. This information appears to be useless for anyone trying TC> to compromise security. And I _completely_ disagree with your opinion on login. You're talking about corporate security while I care about individual privacy. Sure, if you use name Thomas Corriher with e-mail tcorriherat_private while reading your IMAP folder with PINE from your personal notebook your login name and location of your host is really not important. But if you use name "3APA3A" and you have a couple more names of this kind and you read your mailboxes from corporate office and you wanna stay little bit anonymous in same time, things are slightly different. In my case I don't care and you can get my login name by another way, for example via netstat (I didn't filter it). But in different situation I will be really upset if someone will know my Unix or NT login + my IP just because i read his e-mail :) In this case I _definitely_ wanna replace my e-mail software with something that doesn't allow JavaScript at all :) (In fact I use The Bat! which does not). TC> It is interesting, and I would like to commend the poster for TC> his cleverness nevertheless. Wow. Thanx :) I found this "feature" of Netscape is very convenient - it allows me to spy how often my web site is mentioned in private correspondence :)) -- ~/3APA3A Но ведь кому угодно могут прийти в голову яйца, пятки и епископы. (Лем)
This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 12:29:28 PDT