Possible Netscape Crypto Security Flaw Haze (Haze@BEER.COM) Sun, 14 Feb 1999 21:13:46 -0600 When you go into Netscape Messenger and check your mail, the software stores the password you used in the registry and encrypts it. It remains there for as long as netscape is open. The login and password is kept in: HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\biff\users\ username(varies)\servers\ Here is the scenario... Let's say Regular Joe A runs Netscape and then checks his email first off... He checks it,enters his password, and his password is stored in the registry... Let's say after he gets done checking his mail, he doesn't close netscape and decides to browse the web. He comes up along Malicious Site A which contains a malicious javascript code to read his local registry files and retrieve his mail server login(unencrypted), encrypted password, and his mail server. Well then the cracker could perform a brute force crack on the encryption and attempt to gain access to the Regular Joe A's ISP and/or pop3 e-mail account... --------------------------------------------------------------------------- Re: Possible Netscape Crypto Security Flaw HD Moore (hdmoore@USA.NET) Tue, 16 Feb 1999 13:02:08 -0600 First of all, if someone can access your registry files via a javascript, you have worse problems to deal with. The storing of the mail password in the registry was mentioned in a post of mine that can be found at: http://geek-girl.com/bugtraq/1998_4/0344.html The password is *still* in the registry after you close netscape, keeping netscape open is not required. If they could access your registry files to begin with, why not save the trouble of digging it out and just snag prefs.js / preferences.js? Anyways, my 2 cents.. -HD --------------------------------------------------------------------------- Re: Possible Netscape Crypto Security Flaw Pete Krawczyk (pkrawczy@UIUC.EDU) Tue, 16 Feb 1999 11:07:05 -0600 At 09:13 PM 2/14/99 -0600, Haze wrote: >Well >then the cracker could perform a brute force crack on the encryption and >attempt to gain access to the Regular Joe A's ISP and/or pop3 e-mail >account... To get to the POP3 account, you'd only need to put the password in a registry key of your own, then check the mail. I would imagine that the key to encrypt is the same across all copies of Netscape. Along those lines, if you had a sniffer next to the computer you put the encrypted password on, you could sniff the real password in transit and thus not have to brute force attack the password, since POP3 is cleartext traffic. -Pete K -- Pete Krawczyk http://www.uiuc.edu/ph/www/pkrawczy/ pkrawczy at uiuc dot edu Finger the 2nd address for PGP Public Key petek at bsod dot net "No spammies, no spammies, no spammies... stop!"