Byron York <byron@benefitrecovery.com> wrote:
>> ... I've checked a file named prefs.js ...
>> the IMAP mail part ... shows the unencrypted password ...
>>
>> user_pref("mail.imap.server.imap.computec.ch.password", "MyPassword4");
>> user_pref("mail.imap.server.imap.computec.ch.remember_password", true);
>>
>> This is also true for POP3 and perhaps for SMTP, NNTP and LDAP
>> passwords. The passwords are only stored if the remember password option
>> is set (e.g. line 18).
>>
>> It may be possible to extract these passwords during a sneaking access
>> to the system (local or remote by a backdoor)[1, 2] or examine a backup.
>> This weakness should be keeped in mind.
>>
>> I'm not sure if this vulnerability exists in other Netscape versions
>> (e.g. 6 or 7).
>>
>> [1] http://www.idefense.com/advisory/11.19.02c.txt
>> [2] http://www.securityfocus.com/bid/6215
>
> We use Netscape 4.74 with roaming profiles using POP3, and my prefs.js file
> keeps the password hidden:
>
> user_pref("mail.pop_name", "byron");
> user_pref("mail.pop_password", "encryptedstuff");
> user_pref("mail.remember_password", true);
>
> I am not sure if the encryption is turned on someplace, but I suspect it is
> on by default, for it is definitely there for all of our POP clients using
> 4.74.
That is not encryption, but reversible obfuscation. Look in the Netscape
source code for how to decode that: Netscape is able to do it and send the
clear-text password to the POP server.
Do not allow Netscape (or other utilities, e.g. Eudora) to remember your
passwords.
Cheers,
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
