Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: .NET Passport: WALLET SERVICE

From: Marc Slemko <marcs () znep com>
Date: Tue, 13 Nov 2001 14:00:13 -0800 (PST)
On Tue, 13 Nov 2001, http-equiv () excite com wrote:


Interesting project, and well understood. However, it seems that the problem
in this case is actually the .NET Passport toy wallet thing.

If you entertain an online purchase, you go "shopping" and "add to basket"
etc. You would then go to the "checkout". When you arrive at the "checkout",
you are met with blank forms which you are expected to fill out (name,
shipping address, credit card info etc.). Obviously at this time, if you
rooted around the browser temp file and retrieved this page, the forms will
be blank and nothing sensitive to revealed. You would then fill in the forms
with the data and fire away. Hopefully, as you indicate, the data would be
'POSTED' and that's the end of that.

But

The wallet gimmick automatically fills in the forms with your sensitive
data, so one you arrive at the "checkout" the forms are filled in, the
entire filled in page rendered and cached, and if you root around the
browser temp file and retrieved the page, obbviously the entire page with
filled in forms are there for all to see.


No, it isn't fair to say this is a hole with Passport Wallet.  The
exact same thing can happen under "normal" circumstances on many
sites if you fill out some of the information on the form incorrectly,
etc. and the server redisplays the form, with filled out information,
and prompts you to correct the incorrect info.

The real question is why is the browser saving the page to disk.
This likely amounts to an interaction between the cache control
directives that the browser (IE in this case, I guess) listens to
and what the server sends.  You also suggested that it happens even
when you select "do not save encrypted pages to disk" in IE; if
so, that would seem to be a bug in IE.  

The point is there are more cases where caching pages to disk can result
in sensitive information being saved than this, and the website/browser
combination needs to deal with them regardless of if Passport Wallet is
in the picture or not.  Passport Wallet just makes it a little more 
important to deal with it.
Previous By Date Next
Previous By Thread Next

Current thread: