Re: Netscape Communicator 4.x sensitive informations in configuration file

[psz () maths usyd edu au (Paul Szabo)]

Byron York <byron () benefitrecovery com> wrote:

> > ... I've checked a file named prefs.js ...
> > the IMAP mail part ... shows the unencrypted password ...
> >
> > user_pref("mail.imap.server.imap.computec.ch.password", "MyPassword4");
> > user_pref("mail.imap.server.imap.computec.ch.remember_password", true);
> >
> > This is also true for POP3 and perhaps for SMTP, NNTP and LDAP
> > passwords. The passwords are only stored if the remember password option
> > is set (e.g. line 18).
> >
> > It may be possible to extract these passwords during a sneaking access
> > to the system (local or remote by a backdoor)[1, 2] or examine a backup.
> > This weakness should be keeped in mind.
> >
> > I'm not sure if this vulnerability exists in other Netscape versions
> > (e.g. 6 or 7).
> >
> > [1] http://www.idefense.com/advisory/11.19.02c.txt
> > [2] http://www.securityfocus.com/bid/6215
>
> We use Netscape 4.74 with roaming profiles using POP3, and my prefs.js file
> keeps the password hidden:
>
> user_pref("mail.pop_name", "byron");
> user_pref("mail.pop_password", "encryptedstuff");
> user_pref("mail.remember_password", true);
>
> I am not sure if the encryption is turned on someplace, but I suspect it is
> on by default, for it is definitely there for all of our POP clients using
> 4.74.

That is not encryption, but reversible obfuscation. Look in the Netscape
source code for how to decode that: Netscape is able to do it and send the
clear-text password to the POP server.

Do not allow Netscape (or other utilities, e.g. Eudora) to remember your
passwords.

Cheers,

Paul Szabo - psz () maths usyd edu au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia