Hello Thomas,

--Wednesday, June 06, 2001, 8:36:39 PM, you wrote to bugtraqsecurityfocus.com:

TC> On Tue, 5 Jun 2001, 3APA3A wrote:

Risk : Low

TC> This does not seem like a real issue to me, and it certainly
TC> does not qualify as an exploit. This information would seem

Yes, as I wrote in advisory I really threat this problem as security
related only in conjunction with others. Example is quote from
Netscape security notes:
http://home.netscape.com/security/notes/index.html

"JavaScript Cookie Exploit - An exploit was reported for Netscape
Communicator 4.72 and earlier in which a hostile site can read the
links in a user's bookmark file and some attributes of HTML files if
the user's profile name and the Communicator installation directory
path are known to the hostile site".

Now, you can know user's profile name and installation directory and
can launch attack automatically by e-mail. E-mail message can "call
back" "hostile site" with information on user's profile. I don't
believe this is the only exploit of this kind.

If you still think it's not security issue - well, you're right :)

TC> useful only if we believed that security through obscurity had
TC> merit. Compound this with the fact that most people are not even
TC> trying to hide their user account names, and that Netscape mail
TC> locations are typically standardized in default directories
TC> anyway. This information appears to be useless for anyone trying
TC> to compromise security.

And I _completely_ disagree with your opinion on login. You're talking
about corporate security while I care about individual privacy.

Sure, if you use name Thomas Corriher with e-mail
tcorriherearthlink.net while reading your IMAP folder with PINE from
your personal notebook your login name and location of your host is
really not important. But if you use name "3APA3A" and you have a
couple more names of this kind and you read your mailboxes from
corporate office and you wanna stay little bit anonymous in same time,
things are slightly different. In my case I don't care and you can get
my login name by another way, for example via netstat (I didn't filter
it). But in different situation I will be really upset if someone will
know my Unix or NT login + my IP just because i read his e-mail :) In
this case I _definitely_ wanna replace my e-mail software with
something that doesn't allow JavaScript at all :) (In fact I use The
Bat! which does not).

TC> It is interesting, and I would like to commend the poster for
TC> his cleverness nevertheless.

Wow. Thanx :) I found this "feature" of Netscape is very convenient -
it allows me to spy how often my web site is mentioned in private
correspondence :))

-- 
~/3APA3A
Íî âåäü êîìó óãîäíî ìîãóò ïðèéòè â ãîëîâó ÿéöà, ïÿòêè è åïèñêîïû. (Ëåì)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]