OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Posible privacy problem in Explorer.
From: Kevin van der Raad (k.van.der.raadITSEC.NL)
Date: Mon Sep 11 2000 - 07:22:28 CDT

I had another folder location:
C:\WINNT\Profiles\<user>\Application Data\Microsoft\Internet
Explorer\UserData\...

I found some useful information about this technique at the following
address:
http://www.siteexperts.com/ie5/tips/ts01/page1.asp

Can a page access other pages UserData?

Elias Levy wrote:
>
> This indeed seems to be the case. Deleting all cookies, emptying the cache
> and removing everything from the Temporary Internet Files folder does
> not make a difference. The web site still displays the saved queries.
>
> After some digging around I found where the data is stored (at least
> in my machine). On my Windows NT 4.0 machine running IE 5 the data
> is stored under C:\WinNT\Profiles\<user>\UserData\81urcl6v\oQRStore[1].xml
> It seems some ActiveX control is being use to save XML to the local machine.
>
> Not a big problem but certainly a privacy issue. Advertisers would love
> to use something like this so this since the user is not aware of where
> the data is stored.
>
> --
> Elias Levy
> SecurityFocus.com
> http://www.securityfocus.com/
> Si vis pacem, para bellum
>
> Message-ID: <39B84795.8A32DC4Fredestb.es>
> Date: Fri, 08 Sep 2000 03:57:41 +0200
> From: "Guille (Bisho)" <guilleredestb.es>
> Reply-To: bishoeurielec.etsit.upm.es
> Organization: Eurielec
> To: bugtraq <BUGTRAQSECURITYFOCUS.COM>
> Subject: Posible privacy problem in Explorer.
>
> In the Microsoft website http://search.msn.com.mx the use a method to
> store the searchs done in his search engine, but without cookies and
> without login&password. You could deactivate the cookies, delete them,
> log off your ISP, close the explorer, reboot, and the data will be there
> again.
>
> The link to the script is: <A CLASS='CLSSAVE' HREF=""
> onClick="StoreResult( 1, 'DE' );return false;" ID='DES1'>
>
> The function is inside:
> <SCRIPT SRC="searchui_IE5.js" LANGUAGE="JScript">
> This is an ugly script without newlines. I have procesed ir a bit to
> make it more readable:
> $ cat searchui_IE5.js | awk '{ gsub(";", ";\n") } { gsub("}"," }\n") }
> { gsub("{"," {\n") } { gsub("function","\n\nfunction") } { print $0 }'
>
> The results are in:
> http://www.eurielec.etsit.upm.es/~bisho/searchui_IE5.js.txt
>
> It uses the called "User Data Persistence" technology, from Microsoft.
>
> Extracted from the microsoft knowledge database:
> ---------------------------------------------
> Persistence
>
> One big pain in the neck for users on the Web is going to a Web page,
> modifying it the way they want it, leaving, then returning to the site
> to find it's not the same: the trees are collapsed, forms filled-out
> have disappeared, and the page must be reset. Internet Explorer 5.0
> takes some of this pain away by providing Web-page persistence via a
> scripting tag.
>
> Internet Explorer 5.0 provides four types of persistence:
>
> [...]
> User Data Persistence: Allows an XML-based storage methodology for
> saving large amounts of user data. If you have a large amount of data
> that you want to save from some point in time (for example, all of your
> favorite sport's teams' scores for the last 10 years), you can use
> persistence rather than cookies.
> [...]
>
> ---------------------------------------------
>
> The problem:
> Most people deactivate Cookies, or set it in the warn level, but the
> "User Data Persistence" has not warn level, and is oculted far away of
> the cookies security options. this could be used to track users without
> their knowledge, when they espect to be safe without cookies.
>
> --
> \|||||||/ Guillermo Pérez Pérez
> < o o > - bishoonirica.com
> \ L / - bishoeurielec.etsit.upm.es
> -oOOo-------oOOo-
> Onírica: Análisis, diseño e implantación de soluciones informáticas
> http://www.onirica.com