Updated August 13, 1999

KeyLabs Tests Confirm...

Internet Explorer 5, Netscape 4.61
Reveal FTP User Names and Passwords

FORGET ABOUT the theoretical security holes in Internet Explorer 5 you've been reading about lately -- you know, the ones that have never caused anyone in the known universe any harm and probably never will because an army of ultra high-level hackers would be required to open the hole.

For a refreshing change of pace, here's one that bites both Internet Explorer 5 and Netscape 4.61 users every time they access a password protected FTP site, revealing their User Name and Password. Best of all, no "malicious hackers" are required!

To expose yourself (or rather your User Name and Password), all you have to do is access a password protected FTP site. After typing your User Name and Password, you will be granted access to the site.

When you double-click a file to download it from the FTP site, a fascinating bit of information appears at the bottom of the screen in Internet Explorer 5. There your User Name and Password are displayed for all to see in the form ftp://UserName: Password@test.com/filename.txt, where test.com is the FTP site and filename.txt is the file you're downloading.

In the above screenshot supplied by KeyLabs, the User Name was "BugNet," and the Password was "CanYouSeeMe."

Depending on the size of the file being downloaded, IE5 and Netscape users could have their privates exposed to fellow workers, people wandering through the office, etc. for hours at a time.

Bill Molnar, a computer programmer in Huntington, BC, said "we've seen the same thing when logging into Comshare Inc.'s support FTP site using Netscape 4.61."

MICROSOFT ACKNOWLEDGED the problem and stressed that the User Name and Password are only displayed on the screen of the connecting machine.

A Microsoft spokesperson said the company is "committed to providing Internet Explorer customers with a secure browsing experience and will address this issue in a future update to the browser."

Several quick and dirty work-arounds immediately suggest themselves. BugNet reader Scott Schnoll supplied the following:

1. Turn the status bar off
2. Minimize the browser window
3. Close the browser window (leaving the download progress dialog open)
4. Lock their workstation (on NT)
5. Use a password protected screen saver

Users should be aware, however, that FTP is not a secure protocol. "I don't know how may people realize this," said JD Brisk of KeyLabs, which confirmed the bug at BugNet's request.

"Just for fun to show how User Name and Passwords are passed using FTP," said Brisk, "we stuck an off the shelf Network Monitor on the wire to capture the usernames and passwords such as any cracker would do."

As the screenshot above shows, the FTP User Name "BugNet" and Password "CanYouSeeMe" are clearly exposed in the FTP data stream.

-- Bruce Brown


© BugNet material copyright 1994-1999 by BugNet.
® BugNet is a Registered Trademark of KeyLabs.
Astonisher.com material is

© Copyright 1973 - 2020 by Bruce Brown and BF Communications Inc.
Astonisher.com is a trademark of BF Communications Inc.

This historic replica of BugNet from the period 1994-1999
is presented by astonisher.com with the permission of BugNet.

BF Communications Inc.
P.O. Box 393
Sumas, WA 98295 USA
(360) 927-3234

Website by Running Dog

* Here's Bruce Brown's BugNet Memoir...
* Here's the free BugNet from 1999...

Software testing for BugNet is provided by KeyLabs, the world's largest independent PC testing facility.