Spyware Sucks

But here is the dirty little secret of browser security: Even if every Internet browser made today were completely bug-free, it wouldn't stop malicious hackers and malware. Why? Because the vast majority of successful malicious exploits today don't exploit buggy browsers, but rather unwitting end-users. That is, Web-based malware is successful because end-users are intentionally installing it! Most exploit code doesn't search for an unpatched vulnerability, but simply asks the user to install. - Roger Grimes, Infoworld

"There is no magic fairy dust protecting Macs" - Dai Zovi, security researcher and co-author of The Mac Hacker's Handbook.

Just because you read it on the Internet, does not make it true

I came across a blog entry about Internet Explorer which draws assumptions about how the program stores 'autocompete' passwords that are simply wrong.

Here is the URL:
http://www.ecommerce-blog.org/archives/internet-explorer-auto-complete-stores-your-passwords-unencrypted/

For whatever reason, the blog's author seems to have come to the incorrect conclusion that because his "password managing program" was able to access and display his stord usernames and passwords that this therefore meant that IE stores autocomplete passwords in "a single flat-file that is unencrypted and can be easily read by a variety of program(s)".

The author's conclusions are incorrect. IE7 DOES encrypt autocomplete data. Yes, there are programs out there that can retrieve the stored data, but reality is the data *is* encrypted, and is *not* in a "flat file" (whatever the heck that means).

IE uses Protected Storage (and later Data Protection API (DPAPI)). To quote a Techet article:

"The Protected Storage service protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users. The service provides a set of software libraries that allow applications to retrieve security and other information from personal storage locations as it hides the implementation and details of the storage itself.

The storage location that is provided by this service is secure and protected from modification. The Protected Storage service uses the Hash-Based Message Authentication Code (HMAC) and the Secure Hash Algorithm 1 (SHA1) cryptographic hash function to encrypt the user’s master key. This component requires no configuration."

Source: http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch07n.mspx

To give you an idea of how IE stores passwords, have a look at this registry key - yes, that's Protected Storage in action:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

To give you an idea of how IE protects sensitive data, have a look at this registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

A big difference, yes?

So, to reiterate, yes there are programs out there that can retrieve the encrypted username and password data stored by IE, BUT, the data *IS* encrypted and it is *NOT* a "single flat file".

More information about Protected Storage / DPAPI:
http://msdn2.microsoft.com/en-us/library/aa925034.aspx

Published Wed, May 23 2007 20:25 by sandi

Filed under: Internet Explorer 7, Internet Explorer

Comments

# re: Just because you read it on the Internet, does not make it true

Wednesday, May 23, 2007 12:32 PM by Jim Pickering

Hi Sandi:

Did you see the info at this link:

feeds.feedburner.com/.../dell_google_sec.html

Jim

# re: Just because you read it on the Internet, does not make it true

Wednesday, May 23, 2007 11:26 PM by sandi

Jeez. No I did not.

I've said it before, and I'll say it again - Google is the next Evil Empire.

Spyware Sucks

This Blog

Syndication

Search

Tags

Community

Archives

News

Just because you read it on the Internet, does not make it true

Comments

# re: Just because you read it on the Internet, does not make it true

# re: Just because you read it on the Internet, does not make it true