Re: MS IE Password inputs

From: Cody Smith (smithccat_private)
Date: Wed Nov 21 2001 - 02:34:02 PST

Next message: Paul Starzetz: "Advisory: Berkeley pmake"

Previous message: pete: "Security Testing Workshop in Barcelona"
In reply to: Mattie Casper: "Re: MS IE Password inputs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Worse than this is a gaping hole in Windows versions of Opera 5 and 6.  I
haven't tested earlier versions, but they could easily be vulnerable.

In Opera, passwords boxes can be read externally, by other processes.
ShoWin (~ 23 kb) is one such app which will divulge the contents of most
password boxes in Windows.

In IE and Netscape, ShoWin selects the entire document being viewed, rather
than any individual elements, so it can't read passwords.  However, in
Opera, ShoWin will report the contents of individual form elements,
including password boxes.  Simply position the crosshairs over the password
field and ShoWin displays the password in the 'Title' box.

Also, Opera will remember the status of form elements, including passwords,
when moving back and forward, so passwords are highly vulnerable throughout
the life of the document window.  I was able to log into Hotmail with the
'Public/shared computer' option, check mail, send mail, logout, and then go
all the way back and read my own password.

Cody Smith

----- Original Message -----
From: "Mattie Casper" <mattieat_private>
To: "Jon Embury" <jon.emburyat_private>;
<bugtraqat_private>
Sent: Tuesday, November 20, 2001 10:25 PM
Subject: Re: MS IE Password inputs


> Very interesting find, and I can confirm the same thing happens in
> IE6.
>
> I can reproduce it by placing the cursor at the beginning of a
> password typed-in like "1234 56789 0ABCDE FGHIJK" and then use
> CTRL+RIGHTARROW to move through the asterisks just as if the spaces
> were there. (CTRL+RIGHTARROW in some applications like IE will move
> you to the next 'word' in a textbox.)
>
> This can come in handy when I typo part of a password and don't want
> to retype it all, but this does have some slight security
> implications.
> -Mattie!
>
> Mattie Casper
> http://me.mattie.net
>
> ----- Original Message -----
> From: "Jon Embury" <jon.emburyat_private>
> To: <bugtraqat_private>
> Sent: Tuesday, November 20, 2001 3:28 PM
> Subject: MS IE Password inputs
>
>
> > Just something I've noticed on IE 4 & 5.5
> >
> > If you enter a password that contains a mix of non-alphabetic and
> alphabetic
> > characters to an MS IE password input and then use the keyboard to
> select it
> > while holding down tab the cursor / selected region jumps between
> the
> > non-alphabetic characters in exactly the same manner as it does when
> you
> > apply the same technique in word, Interdev, vb etc.
> >
> > It doesn't reveal the password, but it would seem to reveal at least
> some of
> > the structure.
> >
> > Eg
> >
> > 1 2 3 4 5
> >
> >
> > Jon Embury
> > Developer, F1 Solutions
> > www.f1solutions.com.au
> >
> >
>

Next message: Paul Starzetz: "Advisory: Berkeley pmake"
Previous message: pete: "Security Testing Workshop in Barcelona"
In reply to: Mattie Casper: "Re: MS IE Password inputs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 21 2001 - 17:41:28 PST