=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Ср, 22 дек 1999  06:58:52

   От: Rob Jones <robert.e.jones@CWO.COM.AU>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: More Netscape Passwords Available.

--------------------------------------------------------------------------------




Netscape 4.7 stores passwords in preferences.js even

if you never ever even once tell it 'remember passwords',

and even if its a fresh install of 4.7 (the solaris install I tested

on has never seen any other version of Netscape).



I thought I was loosing it with people pointing out that this didnt work

when I thought it did but I've done my howework thistime and

this bug does definitely affect



    Solaris 2.5 Netscape 4.7

    Redhat Linux 6.0 Netscape 4.7



However it only stores them in the file from the time you log onto

your mail server to the time you quite and close all netscape windows.



Obviously this isnt as bad as it could be but it does mean there is a

window of opportunity for a hacker to grab your password

from this file. Like sending you a mail, saying check out this attachment.

You will have had to type in your password (its then in the file), and

the application you run can grab your password .... The rest is obvious.



Rob



P.S. This was tested with an IMAP rather than POP server, but I doubt

if its any different.



P.P.S. No I've not contacted Netscape yet. If anyone thinks they would

change this then please email them. I've havent got time because I

leave this job (peranantly, not just for christmas) on Friday and

I have too much to do before then to find the right  person to contact.