From graeme@chem2.chem.swin.edu.au Mon Dec 4 18:24:07 PST 1995 Article: 25873 of hks.lists.cypherpunks Path: hks.net!news-mail-gateway!owner-cypherpunks From: graeme@chem2.chem.swin.edu.au (Graeme Cross) Newsgroups: hks.lists.cypherpunks Subject: Netscape 2.0b2 allows for invasion of privacy (fwd) Date: 1 Dec 1995 00:04:35 -0500 Organization: HKS, Inc. Lines: 100 Sender: root@hks.net Message-ID: NNTP-Posting-Host: bb.hks.net Talking of Netscape - this posting prompted me to forward it given the security and privacy implications inherent in the problem. Cheers Graeme ------- Start of forwarded message ------- >From: Scott Weston >Subject: Netscape 2.0b2 allows for invasion of privacy >Newsgroups: aus.net.announce,comp.privacy >Date: Fri, 01 Dec 1995 11:09:06 +1100 Hi 'Net Dwellers, First off - I've posted this before (however not to this group) and only got a response from the Netscape Corp. They were glad I found the problem and said that they would fix it, however I feel that people should know about it. Also I would like people to help me spread this document around, i.e. if you know of a newsgroup (or people) that would find this interesting then please re-postit. On with the problem... I've recently got hold of the latest netscape, and was (at first) very excited about the new "LiveScripts" that it supports. If people don't yet know - these "LiveScripts" allow you to put small programs into your web page that is then executed by the Netscape client. There is no DIRECT way for these programs to send information back to the owner of the web page, however I was able to do it in a not-so-direct way. The "LiveScript" that I wrote extracts ALL the history of the current netscape window. By history I mean ALL the pages that you have visited to get to my page, it then generates a string of these and forces the Netscape client to load a URL that is a CGI script with the QUERY_STRING set to the users History. The CGI script then adds this information to a log file. Now if this hasn't quite CLICKED yet lets do a little example. Johnny Mnemonic starts up his newly acquired version of Netscape2.0b2 to start his daily "surf" session. First he decides to check his CD-NOW purchase and uses the handy Auto-Login URL. Then he decides to go to Lycos and do a search. In his search he find my page, which he decides to visit. Suddenly he is transported, not to my main page but to one of my CGI scripts, which in turn happens to have ALL the URL's he just been to in it. This means that in my log will be: - the URL to use to get into CD-NOW as Johnny Mnemonic, including username and password. - The exact search params he used on Lycos (i.e. exactly what he searched for) - plus any other places he happened to visit. I do this in a way that the user will KNOW that it has happened and will _hopefully_ email Netscape and tell them they are NOT impressed. But it would be EASY for me to change the CGI script so that the user is unaware that it has actually happened, unless they closely examine their URL history (in fact they'll probably just think its a netscape bug). If you're skeptical about this then do the test yourself. Get netscape 2.0b2 and do some normal surfing, and then go to Lycos. Do a search for: scotts car boot sale which should return the URL - http://www.tripleg.com.au/staff/scott Click on the URL and sit back an watch. First my main page will show up but a little while later you should be transported to a CGI bin script that will show you your URL history. I have tested this with both the Linux 2.0b2, and Solaris 2.0b2 versions and both have done the same thing. I would be interested in knowing if it happens for ALL versions of Netscape2.0b2. The log file does log the User Agent (i.e. the name of the platform you are using) so by simply going to the page I will know that your version of Netscape is also open to this form of attack. Currently I can find no way to configure Netscape2.0b2 to NOT run LiveScripts - and at the very least this option should be quickly added to the next version of netscape to be released. But a far better solution (IMHO) would be for netscape to pop up a window before running the LiveScript and let you know what the LiveScript wants access to, e.g. if it only wants to print out the current time then that's OK, but if it wants to read my history list and then transport me to a CGI script and add me to a logfile then maybe I would say NO. I think I've said enough.... If you've got any further questions, or want some more information just email me : scott@tripleg.com.au -- Scott. Quote from a car accident insurance claim: "I told the police that I was not injured, but on removing my hat, I found that I had a skull fracture." ------- End of forwarded message ------- From llurch@networking.stanford.edu Mon Dec 4 18:24:27 PST 1995 Article: 25877 of hks.lists.cypherpunks Path: hks.net!news-mail-gateway!owner-cypherpunks From: llurch@networking.stanford.edu (Rich Graves) Newsgroups: hks.lists.cypherpunks Subject: Re: Netscape 2.0b2 allows for invasion of privacy (fwd) Date: 1 Dec 1995 00:57:15 -0500 Organization: HKS, Inc. Lines: 11 Sender: root@hks.net Message-ID: NNTP-Posting-Host: bb.hks.net [As seen on the cypherpunks list] I just confirmed this for Mozilla/2.0b3 (Win95; I). I also see an entry >from the Mac version of 2.0b3. No need for anyone else to test it. Very nasty indeed. To what other variables might someone have access? Scott is probably going to be responsible for a good bit of the traffic on the trans-pacific cables tomorrow :-) -rich From adam@lighthouse.homeport.org Mon Dec 4 18:29:52 PST 1995 Article: 25881 of hks.lists.cypherpunks Path: hks.net!news-mail-gateway!owner-cypherpunks From: adam@lighthouse.homeport.org (Adam Shostack) Newsgroups: hks.lists.cypherpunks Subject: Re: Netscape 2.0b2 allows for invasion of privacy (fwd) Date: 1 Dec 1995 01:17:38 -0500 Organization: HKS, Inc. Lines: 47 Sender: root@hks.net Message-ID: <199512010605.BAA18775@homeport.org> NNTP-Posting-Host: bb.hks.net About a month ago, I made the argument that Java, despite its imperfections, is much better than most things we'll see. I stand by this argument, and urge Netscape to use only Java* as a scripting language. *By Java, I mean the class of languages designed with security in mind. I think that means Java and Safe-TCL. Taint-perl is not useful; its designed for unsafe input from a user, not unsafe code. People with time to hack netscape might experiment with location.href = "file://.pgp/secring.pgp" and see if you can write a script to export it somewhere. And here's how its done. Hitting the page makes your history public knowledge. (Btw, Bal, is Netbsd1.1 stable yet? :) scott@tripleg.com.au wrote this code: