Monday, March 24, 2008

Fears come true

I've always been uneasy about browsers capability to store passwords for sites you visit. Seems no one talks about this, but I've always restrained from using it, seeing how this kind information would be the motherload for any curious wannabehacker.
Today I came across the tools to do just this, extract stored passwords, in plaintext.
The accused are Nirsofts;
Protected Store PassView - http://www.nirsoft.net/utils/pspv.htmle
Network Password Recovery - http://www.nirsoft.net/utils/network_password_recovery.html
IE7 Password - http://www.nirsoft.net/utils/internet_explorer_password.html

All of the above works on XP, though only IE Passview paidoff with Vista. It returned a networklogon password onto a network computer and the google password. And this without any administrative privileges! Now, obviously this requires local access but imagine an intruder has gained access to your work computer while your at home or something like it. He would only need plainuser access to run this! From that he/she could extract your company network logon username and password. Easy enough to use this as an bridgehead into given companynetwork.

What do we learn from this? Never save passwords in any form of credentials manager!

No comments: