Bugtraq mailing list archives
Re: Communicator 4.5 stores EVERY mail-password in preferences.js
From: hdmoore () USA NET (HD Moore)
Date: Wed, 4 Nov 1998 17:20:27 -0600
In the Windows environment prefs.js isnt the only place that your password is stored. Netscape also creates a registry entry for your password (garbled as well) that any admin on your local LAN (or some cracker over the internet) can read by remotely connecting to your registry. The path it is stored in is: HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\biff\users\<profile name>\servers\<mail server hostname>\password This is with the 'dont save password option' checked on 4.5 (netscape.exe internal version: 4.50.2.19) By any chance does anyone know how the password is encrypted or how strong of encryption is used? I also managed to copy that registry entry onto a separate computer (while messenger was already open and I had checked my mail once), changed the hostname of the mail server entry to match and successfully retrieved mail with that account while sniffing the plain text pop3 pass over my dialup...
Current thread:
- Communicator 4.5 stores EVERY mail-password in preferences.js Holger van Lengerich (Nov 04)
- Re: Communicator 4.5 stores EVERY mail-password in preferences.js Pierre Belanger (Nov 05)
- <Possible follow-ups>
- Re: Communicator 4.5 stores EVERY mail-password in preferences.js HD Moore (Nov 04)
- Re: Communicator 4.5 stores EVERY mail-password in preferences.js HD Moore (Nov 04)