Byron York <byronat_private> wrote: >> ... I've checked a file named prefs.js ... >> the IMAP mail part ... shows the unencrypted password ... >> >> user_pref("mail.imap.server.imap.computec.ch.password", "MyPassword4"); >> user_pref("mail.imap.server.imap.computec.ch.remember_password", true); >> >> This is also true for POP3 and perhaps for SMTP, NNTP and LDAP >> passwords. The passwords are only stored if the remember password option >> is set (e.g. line 18). >> >> It may be possible to extract these passwords during a sneaking access >> to the system (local or remote by a backdoor)[1, 2] or examine a backup. >> This weakness should be keeped in mind. >> >> I'm not sure if this vulnerability exists in other Netscape versions >> (e.g. 6 or 7). >> >> [1] http://www.idefense.com/advisory/11.19.02c.txt >> [2] http://www.securityfocus.com/bid/6215 > > We use Netscape 4.74 with roaming profiles using POP3, and my prefs.js file > keeps the password hidden: > > user_pref("mail.pop_name", "byron"); > user_pref("mail.pop_password", "encryptedstuff"); > user_pref("mail.remember_password", true); > > I am not sure if the encryption is turned on someplace, but I suspect it is > on by default, for it is definitely there for all of our POP clients using > 4.74. That is not encryption, but reversible obfuscation. Look in the Netscape source code for how to decode that: Netscape is able to do it and send the clear-text password to the POP server. Do not allow Netscape (or other utilities, e.g. Eudora) to remember your passwords. Cheers, Paul Szabo - pszat_private http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
This archive was generated by hypermail 2b30 : Fri Feb 28 2003 - 15:25:53 PST