Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Possible Netscape Crypto Security Flaw

From: Haze () BEER COM (Haze)
Date: Sun, 14 Feb 1999 21:13:46 -0600

When you go into Netscape Messenger and check your mail, the software
stores the password you used in the registry and encrypts it. It remains
there for as long as netscape is open. The login and password is kept
in:
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\biff\users\
username(varies)\servers\<mail server>

Here is the scenario...

Let's say Regular Joe A runs Netscape and then checks his email first
off...
He checks it,enters his password, and his password is stored in the
registry...
Let's say after he gets done checking his mail, he doesn't close
netscape and decides
to browse the web. He comes up along Malicious Site A which contains a
malicious
javascript code to read his local registry files and retrieve his mail
server login(unencrypted), encrypted password, and his mail server. Well
then the cracker could perform a brute force crack on the encryption and
attempt to gain access to the Regular Joe A's ISP and/or pop3 e-mail
account...
Previous By Date Next
Previous By Thread Next

Current thread: