Vulnerability Development mailing list archives
RE: .NET Passport: WALLET SERVICE
From: Marc Slemko <marcs () znep com>
Date: Tue, 13 Nov 2001 14:00:13 -0800 (PST)
On Tue, 13 Nov 2001, http-equiv () excite com wrote:
Interesting project, and well understood. However, it seems that the problem in this case is actually the .NET Passport toy wallet thing. If you entertain an online purchase, you go "shopping" and "add to basket" etc. You would then go to the "checkout". When you arrive at the "checkout", you are met with blank forms which you are expected to fill out (name, shipping address, credit card info etc.). Obviously at this time, if you rooted around the browser temp file and retrieved this page, the forms will be blank and nothing sensitive to revealed. You would then fill in the forms with the data and fire away. Hopefully, as you indicate, the data would be 'POSTED' and that's the end of that. But The wallet gimmick automatically fills in the forms with your sensitive data, so one you arrive at the "checkout" the forms are filled in, the entire filled in page rendered and cached, and if you root around the browser temp file and retrieved the page, obbviously the entire page with filled in forms are there for all to see.
No, it isn't fair to say this is a hole with Passport Wallet. The exact same thing can happen under "normal" circumstances on many sites if you fill out some of the information on the form incorrectly, etc. and the server redisplays the form, with filled out information, and prompts you to correct the incorrect info. The real question is why is the browser saving the page to disk. This likely amounts to an interaction between the cache control directives that the browser (IE in this case, I guess) listens to and what the server sends. You also suggested that it happens even when you select "do not save encrypted pages to disk" in IE; if so, that would seem to be a bug in IE. The point is there are more cases where caching pages to disk can result in sensitive information being saved than this, and the website/browser combination needs to deal with them regardless of if Passport Wallet is in the picture or not. Passport Wallet just makes it a little more important to deal with it.
Current thread:
- .NET Passport: WALLET SERVICE http-equiv () excite com (Nov 08)
- RE: .NET Passport: WALLET SERVICE Baron Samedi (Nov 08)
- <Possible follow-ups>
- RE: .NET Passport: WALLET SERVICE http-equiv () excite com (Nov 13)
- RE: .NET Passport: WALLET SERVICE Marc Slemko (Nov 13)
- RE: .NET Passport: WALLET SERVICE http-equiv () excite com (Nov 13)