From: shamrock@netcom.com (Lucky Green)
To: cypherpunks@toad.com
Message Hash: 6d9bba46974836c20c060b5c96e806c5efa5cef1e2f23eb0fd6c6361fc634a03
Message ID: <v02120d88ad834ab42177@[192.0.2.1]>
Reply To: N/A
UTC Datetime: 1996-03-31 13:05:13 UTC
Raw Date: Sun, 31 Mar 1996 21:05:13 +0800
From: shamrock@netcom.com (Lucky Green)
Date: Sun, 31 Mar 1996 21:05:13 +0800
To: cypherpunks@toad.com
Subject: No Subject
Message-ID: <v02120d88ad834ab42177@[192.0.2.1]>
MIME-Version: 1.0
Content-Type: text/plain
Yes, Netscape caches passwords.
--- begin forwarded text
From: support@sfnb.com
Date: Fri, 29 Mar 96 17:27:02 -0500
Sender: <support@sfnb.com>
Apparently-To: bankusers@sfnb.com
Dear Security First customer:
With the release of Netscape Navigator 2.0, Netscape enhanced their
caching mechanism to improve the browser's performance. As a result
of this enhancement, the Navigator was storing Security First username
and password information when entered in cleartext on a customer's
local hard drive in a file called fat.db. Therefore, if a
knowledgeable and malicious person had access to a Security First
customer's computer, they could have potentially stolen that customer's
username and password. To our knowledge, this vulnerability was NOT
exploited by anyone.
We were made aware of this fact in an e-mail to the bank from Lucky
Green, a frequent contributor to the cypherpunks mailing list.
Immediately upon learning of this situation, Five Paces engineers
worked closely with Netscape engineers and fixed the problem. To
prevent caching of the username and password, we changed the login
script to include "pragma: no-cache" in the http header. This
command instructs the browser not to cache any information from this
page on the local hard drive.
Please note this was not specific to Security First. Any Web site
that requests a username and password in an onscreen form is
potentially vulnerable to this cleartext caching if the "pragma:
no-cache" header is not used.
In order to ensure that your username and password have been cleared
from your cache, bank customers should go to the Options dropdown
menu in the Navigator, and select Network, then Cache, and then click
on the "Clear Disk Cache Now" button. We know that software involving
Internet commerce is changing at a rapid pace, and we will continue
to monitor all changes that might affect our customers.
We would like to thank Lucky and also Jeff Weinstein of Netscape for
bringing this to our attention. The Internet community benefits when
we all work together to make it a better network.
If you have any questions, please do not hesitate to e-mail me at
karlin@sfnb.com, or our customer service staff at support@sfnb.com.
Sincerely,
Michael Karlin
President & COO
Security First Network Bank
================================================================
Michael S. Karlin Security First Network Bank
2957 Clairmont Road 404.679.3201
Suite 280 404.679.3210 Fax
Atlanta, GA 30329 karlin@sfnb.com
--- end forwarded text
-- Lucky Green <mailto:shamrock@netcom.com>
PGP encrypted mail preferred.
Return to April 1996
Return to “shamrock@netcom.com (Lucky Green)”