|
|
|
|
| |
Passwords are often protected by replacing the displayed characters with '*', to hide them from 'over-the-shoulder' viewers. In addition, the copy-paste will not allow copying of the content protected by the password edit box.
However, certain flaws in the implementation of this protection make it possible to gain knowledge about the data behind the asterisks, and sometimes to reveal the password's content.
This is usually only a threat in multi-user environment, but can also be employed by Trojans as an alternative to key-logging. |
| |
Credit:
The information has been provided by Jon Embury and Cody Smith.
|
| |
Vulnerable systems:
Opera version 5
Opera version 6
Internet Explorer version 4.0
Internet Explorer version 5.5
Internet Explorer version 6.0
Opera browser:
In Opera, external processes can read the content of the passwords boxes. ShoWin is one such application that will also divulge the contents of most password boxes in Windows.
In addition, Opera will remember the status of form elements, including passwords, when moving back and forward, so passwords are highly vulnerable throughout the life of the document window.
Internet explorer:
If you enter a password that contains a mix of non-alphabetic and alphabetic characters to an MS IE password input and then use the keyboard to select it while holding down tab, the cursor or selected region jumps between the non-alphabetic characters in exactly the same manner as it does when you apply the same technique in Word, Interdev, Visual Basic etc.
This does not reveal the password, but it would seem to reveal at least some of its structure.
|
|
|
|
|
