[NT] Uncovering the Asterisks in Password Inputs
From: support@securiteam.comDate: 11/27/01
- Previous message: support@securiteam.com: "[TOOL] PDD, Forensic Analysis for the PalmOS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NT] Uncovering the Asterisks in Password Inputs Message-Id: <20011127214018.15859138BF@mail.der-keiler.de> Date: Tue, 27 Nov 2001 22:40:18 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Uncovering the Asterisks in Password Inputs
------------------------------------------------------------------------
SUMMARY
Passwords are often protected by replacing the displayed characters with
'*', to hide them from 'over-the-shoulder' viewers. In addition, the
copy-paste will not allow copying of the content protected by the password
edit box.
However, certain flaws in the implementation of this protection make it
possible to gain knowledge about the data behind the asterisks, and
sometimes to reveal the password's content.
This is usually only a threat in multi-user environment, but can also be
employed by Trojans as an alternative to key-logging.
DETAILS
Vulnerable systems:
Opera version 5
Opera version 6
Internet Explorer version 4.0
Internet Explorer version 5.5
Internet Explorer version 6.0
Opera browser:
In Opera, external processes can read the content of the passwords boxes.
<http://www.foundstone.com/rdlabs/proddesc/showin.html> ShoWin is one such
application that will also divulge the contents of most password boxes in
Windows.
In addition, Opera will remember the status of form elements, including
passwords, when moving back and forward, so passwords are highly
vulnerable throughout the life of the document window.
Internet explorer:
If you enter a password that contains a mix of non-alphabetic and
alphabetic characters to an MS IE password input and then use the keyboard
to select it while holding down tab, the cursor or selected region jumps
between the non-alphabetic characters in exactly the same manner as it
does when you apply the same technique in Word, Interdev, Visual Basic
etc.
This does not reveal the password, but it would seem to reveal at least
some of its structure.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:jon.embury@f1solutions.com.au> Jon Embury and
<mailto:smithcc@uclink4.berkeley.edu> Cody Smith.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[TOOL] PDD, Forensic Analysis for the PalmOS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
