Vulnerability Development mailing list archives
Re: IE 5.0 vulnerability
From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Sun, 24 Oct 1999 10:56:08 -0700
Josh Burns wrote: I'm not sure if this has been announced yet, but here goes.. I am not sure if this is an IE 5 problem, or not, but when you have cookies enabled (default setting), and you use a service like AOLMail, Hotmail, or anything that requires a name and password, it is stored in a cookie for later use. If the user closes IE, and then reopens it, and goes to the same page, and type in the first letter of their login name, a drop-down box will come up, with their user name in it, and you can click it. Then, if the user clicks on the password field, it automatically fills in their password. I'm not sure what the cookie for this looks like, if the stored password is encrypted, or not, because I didn't have time to test. This can most likely be fixed by going to Internet Options, and turning off cookies from all hosts. Please give me some feedback on this.
IE5 includes a "feature" that allows it to remember what you've typed into various web form fields, to make it easier to fill out forms later. This feature is called "autocomplete" is is part of the IntelliSense feature set. You can read briefly about it here: http://www.microsoft.com/windows/Ie/Features/Intellisense/default.asp It's not related to cookies in any way, near as I can tell. Certainly, it's not a feature most of us would want to turn on. I looks like it starts remembering all fields, as soon as you turn it on. Almost any web user will have to put something in that constitutes a password at some point. Here's a bit from the IE5 help: "To enter Web information more easily The AutoComplete feature saves previous entries you've made for Web addresses, forms, and passwords. Then, when you type information in one of these fields, AutoComplete suggests possible matches. These matches can include folder and program names you type in the Address bar, and search queries, stock quotes, or information for just about any other field you fill in on a Web page. In the Address bar, a field on a Web page, or a box for a username or password, start typing the information. If you've typed a similar entry before, AutoComplete lists possible matches as you type. If a suggestion in the list matches what you want to enter in that field, click the suggestion. If not, continue typing. Notes The information used for suggested matches is stored on your computer and is encrypted to protect your privacy. Web sites cannot gain access to this information. They can only receive what you explicitly enter in forms. When typing information in Web forms, and typing passwords, you can remove an item from the list of suggestions by clicking the item and then pressing the DELETE key. Related Topic Adjust AutoComplete settings" Here's the piece on AutoComplete settings: "To adjust AutoComplete settings You can tailor the AutoComplete feature to save and suggest only the information you want. You can choose whether to use AutoComplete for Web addresses, forms, and passwords, or not use it all. And you can clear the history for any of these. On the Tools menu in Internet Explorer, click Internet Options. Click the Content tab. In the Personal information area, click AutoComplete. Select the check boxes for the AutoComplete options you want to use. " The part that grabs my attention is that it claims to be "encrypted" on the disk, to help protect privacy. I'd be suspicious of that. If IE can "decrypt" them without asking you for an unlocking password, then they're just encoded, or the crypt key is sitting on the drive, too. As you've seen, if someone is sitting at your machine, and they fire up IE, they get all your info. BB
Current thread:
- IE 5.0 vulnerability Josh Burns (Oct 22)
- Re: IE 5.0 vulnerability David Schwartz (Oct 24)
- Re: IE 5.0 vulnerability Blue Boar (Oct 24)
- Re: IE 5.0 vulnerability David U. (Oct 24)
- Re: IE 5.0 vulnerability Mike Malouf (Oct 25)
- <Possible follow-ups>
- Re: IE 5.0 vulnerability Josh Burns (Oct 24)
- Re: IE 5.0 vulnerability -wb (Oct 26)
- Re: IE 5.0 Vulnerability Bill Weiss (Oct 26)