Netscape Communicator 4.01a and 4.02 for Windows 95/NT allows
Andre L. Dos Santos (andre@CS.UCSB.EDU)
Fri, 22 Aug 1997 20:22:44 -0700
Using the latest Netscape Communicator we are able to get your credit card
number, password for online banking or online brokerage order, etc, only
restricted by the imagination of the malicious server implementer. This is
due to a flaw in Javascript identified by the Reliable Software Group at
University of California Santa Barbara. It enables a malicious site to
track all activities of a user in the Internet. Besides being able to get
this information, which violates the user's privacy, by using an ingenious
technique we are able to target chosen pages and use a fake server to
convince the user to type in privileged information. We submitted a
security bug report to Netscape, but we believe that this is a very
serious threat, which is easy to implement. As such it should be widely
disseminated. This flaw was tested in Netscape Communicator 4.01a, the
latest version of Netscape, and it is described, together with other
attacks in our paper at http://www.cs.ucsb.edu/~andre/attacks.ps.
Netscape has released a new version of Communicator for Windows
95/NT. It is Netscape Communicator 4.02. In this version our attack is
much more threatening. This is because on the previous version the access
on the location object was better implemented and in order to get a string
value to this object we had to close a second browser we opened. Using the
new version of Netscape we are able, using an infinite loop, to access the
string that represents the location object, against the security policy of
Javascript. Therefore, using this version, we don't even need to close
the second browser. We are still investigating which other security
policies are badly implemented in this new version of Netscape
Communicator.
Andre L. dos Santos
Reliable Software Group
University of California Santa Barbara