Bugtraq mailing list archives
Re: Possible Netscape Crypto Security Flaw
From: hdmoore () USA NET (HD Moore)
Date: Tue, 16 Feb 1999 13:02:08 -0600
First of all, if someone can access your registry files via a javascript, you have worse problems to deal with. The storing of the mail password in the registry was mentioned in a post of mine that can be found at: http://geek-girl.com/bugtraq/1998_4/0344.html The password is *still* in the registry after you close netscape, keeping netscape open is not required. If they could access your registry files to begin with, why not save the trouble of digging it out and just snag prefs.js / preferences.js? Anyways, my 2 cents.. -HD Haze wrote:
When you go into Netscape Messenger and check your mail, the software stores the password you used in the registry and encrypts it. It remains there for as long as netscape is open. The login and password is kept in: HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\biff\users\ username(varies)\servers\<mail server>
[ -- snipped -- ]
javascript code to read his local registry files and retrieve his mail server login(unencrypted), encrypted password, and his mail server. Well then the cracker could perform a brute force crack on the encryption and attempt to gain access to the Regular Joe A's ISP and/or pop3 e-mail account...
Current thread:
- Re: Possible Netscape Crypto Security Flaw HD Moore (Feb 16)
- Yet Another password storing problem (was: Re: Possible Netscape Yiorgos Adamopoulos (Feb 19)