lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue,  3 Oct 2006 01:56:23 +0100
From: Luís Miguel Silva <lms@...gaya.pt>
To: bugtraq@...urityfocus.com
Subject: Security flaw in IBM Client Security Password Manager

Hello all,

I recently found a security flaw in the design of the IBM Client Security
Password Manager (an application used to authenticate application forms using
fingerprints).

It came to my attention that the application only recognized my e-bank site and
authed against it if i had just created a profile. If i closed the browser and
opened a new one, the IBM Password Manager wouldn''t recognize the e-bank site.

I figured that the password manager mapped its profiles against the "window
name" property of the application.

In this case, the problem was that the bank dynamically changed the window title
to the current date.

Since the IBM Client Security Password Manager authenticates by mapping the
window title information, a malicious user could trick another user into
sending his credentials (by phishing, xss or by other simple methods...)

This is very easy to test:
a) using the IBM Client Security Password Manager, create a new profile for a
site with a static title (for instance, Horde webmail)
b) create a new site with the same window title and host it *anywhere you like*
c) go to that site and authenticate against it with the IBM Client Security
Password Manager application.

If you are using Horde (a portuguese version) you can test it in this page:
http://lms.ispgaya.pt/goodies/ibm/

It is actually ironic that, since the IBM application works this way, a user is
better off using the browsers builtin password manager (since it would detect
that the site isn''t safe / recognized).

Best regards,
+----------------------------------------
| Luís Miguel Ferreira da Silva
| Network Administrator @ISPGaya
| Instituto Superior Politécnico Gaya
| Rua António Rodrigues da Rocha, 291/341
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Tel: +351 223745730/3/5
| GSM: +351 912671471 +351 936371253
+----------------------------------------

----------------------------------------------------------------
Este email foi enviado via o webmail do ISPGaya
Instituto Superior Politécnico Gaya

Content of type "application/pgp-keys" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ