a few comments:
1) this is a known issue
2) Revelation, snitch, openPass, etc won't work
in msie
3) If the password is 'remembered' by the server
(ie, not cached, but sent as part of the html),
you could just view source.
4) Not as relevent, but you could do some simple
XSS to alert the password (eg:
alert(document.forms[0].thepasswordfieldname.value);
--- NP-completer <npcompleter@hotmail.com> wrote:
> Hi,
>
> Microsoft's IE has a feature of storing login
> passwords for future use. With
> (at least) IE 6 on Win2k SP3 (as well as
> others, see below,) if you see the
> login screen with <input
> type="password"...> tag, and the cached
> password apears as astrisks, if you
> stand at the beginning of the string and
> Ctrl+Shift+Right Arrow to select
> the whole string, if the password contains any
> delimiters (i.e. spaces
> colons, commas,...etc.) the selection will stop
> before it. That means that
> the next char is a delimiter. One might say,
> "why bother? Snadboy's
> Revelation will give me the cleartext
> password!" Well, this might be true
> with IE, but the same thing is with apps built
> with Java (tested on JDK 1.3)
> which Revelations doesn't reveal. By knowing
> the existence of a delimiter,
> and the number of chars, and some social
> engineering sense, one may guess
> the password.
> Example 1: Many poeple use dates as their
> passwords, they usually meet the
> regex '^([0-9]{1,2}[\/\-\.]){2}[1-9]{2,4}$',
> this means that if you can find
> that the password pattern meet the previous
> pattern, easier guessing/brute
> forcing can be done.
> Example 2: Some people tend to use their full
> name, so a single seperator
> between two parts with the same number of
> characters of victim's full name
> meen even easier gussing.
> I haven't tested on *NIX yet.
>
> Tested on:
> =======
> * Internet Explorer 6 (On Win2k Pro SP3)
> =====> Vulnerable
> * Netscape Navigator (On Win2k Pro SP3)
> =====> Not Vulnerable
> * Mozilla (On Win2k Pro SP3)
> =====> Not Vulnerable
> * Opera 6.02 (On Win2k Pro SP3)
> =====> Vulnerable
> * Java based applications/applets (JDK 1.3)
> =====> Vulnerable
> * Visual C++ 6 (MFC 4.2) appications
> =====> Not Vulnerable
> * Visual Basic 6 applications
> =====> Not Vulnerable
>
> Peace
> NP-completer
> XEgypt.org
=====
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1 www.geekcode.com
GIT d--(---) s-:-- a-- C++++ UL@ P--- L++>+++ E---(-) W+++(-)$ N-(--) o-- K++ w(+)(-) O? !M ?V(-) PS+++@ PE-- Y+ PGP++ t+ 5-(++) X(+) R tv(--) b+>+++ DI++ D-(Quake+++) G+++ e* h r++>+++ y+(+++)
-----END GEEK CODE BLOCK-----
__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com
