OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Exploit-Dev Archives: Re: IE 5.0 vulnerability

Re: IE 5.0 vulnerability

Blue Boar (BlueBoarTHIEVCO.COM)
Sun, 24 Oct 1999 10:56:08 -0700

> Josh Burns wrote:
>
> I'm not sure if this has been announced yet, but here goes.. I am not
> sure if this is an IE 5 problem, or not, but when you have cookies
> enabled (default setting), and you use a service like AOLMail, Hotmail,
> or anything that requires a name and password, it is stored in a cookie
> for later use. If the user closes IE, and then reopens it, and goes to
> the same page, and type in the first letter of their login name, a
> drop-down box will come up, with their user name in it, and you can click
> it. Then, if the user clicks on the password field, it automatically
> fills in their password. I'm not sure what the cookie for this looks
> like, if the stored password is encrypted, or not, because I didn't have
> time to test. This can most likely be fixed by going to Internet
> Options, and turning off cookies from all hosts. Please give me some
> feedback on this.

IE5 includes a "feature" that allows it to remember what you've typed into
various web form fields, to make it easier to fill out forms later.

This feature is called "autocomplete" is is part of the IntelliSense
feature set. You can read briefly about it here:

http://www.microsoft.com/windows/Ie/Features/Intellisense/default.asp

It's not related to cookies in any way, near as I can tell.

Certainly, it's not a feature most of us would want to turn on. I looks
like it starts remembering all fields, as soon as you turn it on. Almost
any web user will have to put something in that constitutes a password at
some point.

Here's a bit from the IE5 help:

"To enter Web information more easily

The AutoComplete feature saves previous entries you've made for Web
addresses, forms, and passwords. Then, when you type information in one of
these fields, AutoComplete suggests possible matches. These matches can
include folder and program names you type in the Address bar, and search
queries, stock quotes, or information for just about any other field you
fill in on a Web page.

In the Address bar, a field on a Web page, or a box for a username or
password, start typing the information.
If you've typed a similar entry before, AutoComplete lists possible matches
as you type.

If a suggestion in the list matches what you want to enter in that field,
click the suggestion.
If not, continue typing.

Notes

The information used for suggested matches is stored on your computer and
is encrypted to protect your privacy.
Web sites cannot gain access to this information. They can only receive
what you explicitly enter in forms.
When typing information in Web forms, and typing passwords, you can remove
an item from the list of suggestions by clicking the item and then pressing
the DELETE key.
Related Topic

Adjust AutoComplete settings"

Here's the piece on AutoComplete settings:

"To adjust AutoComplete settings

You can tailor the AutoComplete feature to save and suggest only the
information you want. You can choose whether to use AutoComplete for Web
addresses, forms, and passwords, or not use it all. And you can clear the
history for any of these.

On the Tools menu in Internet Explorer, click Internet Options.
Click the Content tab.
In the Personal information area, click AutoComplete.
Select the check boxes for the AutoComplete options you want to use. "

The part that grabs my attention is that it claims to be "encrypted" on the
disk, to help protect privacy. I'd be suspicious of that. If IE can
"decrypt" them without asking you for an unlocking password, then they're
just encoded, or the crypt key is sitting on the drive, too.

As you've seen, if someone is sitting at your machine, and they fire up IE,
they get all your info.

                                                        BB

This archive was generated by hypermail 2.0b3 on Sun Oct 24 1999 - 12:59:14 CDT