Bugtraq mailing list archives
Netscape Communicator 4.01a and 4.02 for Windows 95/NT allows
From: andre () CS UCSB EDU (Andre L. Dos Santos)
Date: Fri, 22 Aug 1997 20:22:44 -0700
Using the latest Netscape Communicator we are able to get your credit card number, password for online banking or online brokerage order, etc, only restricted by the imagination of the malicious server implementer. This is due to a flaw in Javascript identified by the Reliable Software Group at University of California Santa Barbara. It enables a malicious site to track all activities of a user in the Internet. Besides being able to get this information, which violates the user's privacy, by using an ingenious technique we are able to target chosen pages and use a fake server to convince the user to type in privileged information. We submitted a security bug report to Netscape, but we believe that this is a very serious threat, which is easy to implement. As such it should be widely disseminated. This flaw was tested in Netscape Communicator 4.01a, the latest version of Netscape, and it is described, together with other attacks in our paper at http://www.cs.ucsb.edu/~andre/attacks.ps. Netscape has released a new version of Communicator for Windows 95/NT. It is Netscape Communicator 4.02. In this version our attack is much more threatening. This is because on the previous version the access on the location object was better implemented and in order to get a string value to this object we had to close a second browser we opened. Using the new version of Netscape we are able, using an infinite loop, to access the string that represents the location object, against the security policy of Javascript. Therefore, using this version, we don't even need to close the second browser. We are still investigating which other security policies are badly implemented in this new version of Netscape Communicator. Andre L. dos Santos Reliable Software Group University of California Santa Barbara
Current thread:
- Netscape Communicator 4.01a and 4.02 for Windows 95/NT allows Andre L. Dos Santos (Aug 22)