Updated August 13, 1999
KeyLabs Tests Confirm...
Internet Explorer 5, Netscape
4.61
Reveal FTP User Names and Passwords
FORGET ABOUT the theoretical
security holes in Internet Explorer 5 you've been reading
about lately -- you know, the ones that have never caused
anyone in the known universe any harm and probably never
will because an army of ultra high-level hackers would be
required to open the hole.
For
a refreshing change of pace, here's one that bites both
Internet Explorer 5 and Netscape 4.61 users every time
they access a password protected FTP site, revealing
their User Name and Password. Best of all, no
"malicious hackers" are required!
To expose yourself (or
rather your User Name and Password), all you have to do
is access a password protected FTP site. After typing
your User Name and Password, you will be granted access
to the site.
When you double-click a
file to download it from the FTP site, a fascinating bit
of information appears at the bottom of the screen in
Internet Explorer 5. There your User Name and Password
are displayed for all to see in the form ftp://UserName:
Password@test.com/filename.txt, where test.com is
the FTP site and filename.txt is the file you're
downloading.
In the above screenshot
supplied by KeyLabs, the User Name was
"BugNet," and the Password was
"CanYouSeeMe."
Depending on the size of
the file being downloaded, IE5 and Netscape users could
have their privates exposed to fellow workers, people
wandering through the office, etc. for hours at a time.
Bill Molnar, a computer
programmer in Huntington, BC, said "we've seen the
same thing when logging into Comshare Inc.'s support FTP
site using Netscape 4.61."
MICROSOFT ACKNOWLEDGED the
problem and stressed that the User Name and Password are
only displayed on the screen of the connecting machine.
A Microsoft spokesperson
said the company is "committed to providing Internet
Explorer customers with a secure browsing experience and
will address this issue in a future update to the
browser."
Several quick and dirty
work-arounds immediately suggest themselves. BugNet
reader Scott Schnoll supplied the following:
1. Turn the status bar off
2. Minimize the browser window
3. Close the browser window (leaving the download
progress dialog open)
4. Lock their workstation (on NT)
5. Use a password protected screen saver
Users should be aware,
however, that FTP is not a secure protocol.
"I don't know how may people realize this,"
said JD Brisk of KeyLabs, which confirmed the bug at
BugNet's request.
"Just
for fun to show how User Name and Passwords are passed
using FTP," said Brisk, "we stuck an off the
shelf Network Monitor on the wire to capture the
usernames and passwords such as any cracker would
do."
As the screenshot above
shows, the FTP User Name "BugNet" and Password
"CanYouSeeMe" are clearly exposed in the FTP
data stream.
-- Bruce Brown
© BugNet material copyright 1994-1999 by BugNet.
® BugNet is a Registered Trademark of KeyLabs.
Astonisher.com material is
© Copyright 1973 - 2020 by Bruce Brown and BF Communications Inc.
Astonisher.com is a trademark of BF Communications Inc.
This historic replica of BugNet from the period 1994-1999
is presented by astonisher.com with the permission of BugNet.
BF Communications Inc.
P.O. Box 393
Sumas, WA 98295 USA (360) 927-3234
Website by Running Dog
|