Move over Hotmail, Netscape Navigator’s email has a security
flaw, too. Reliable Software Technologies (RST) has found
what it calls a serious security flaw in the password
encryption of Netscape Navigator’s email system.
According to Jeffery Payne, RST’s president and CEO of the
Dulles, Va.-based software assurance consulting vendor, the
company’s software security group needed only eight hours to
duplicate the algorithm used to scramble an individual’s
Move over Hotmail, Netscape Navigator’s email has a security flaw, too. Reliable Software Technologies (RST) has found what it calls a serious security flaw in the password encryption of Netscape Navigator’s email system.
“Having access to a Netscape mail password could potentially
lead to malicious use of an individual’s mail and allow
further access to protected business-critical information
systems where the same password is used,” Payne said.
In some versions of Netscape, Payne noted, the scrambled
Most people’s mail password is also their login password for
other applications, both at work and at home, he said. A
malicious attacker could use the victim’s password, gleaned
from an insecure home machine, to log in to a more secure
corporate machine and take control of the machine. The
attacker then could read sensitive information, use the
account to attack more privileged accounts, and set up a
remote monitoring system inside a corporate network.
Payne said he notified Netscape of the flaw and suggested a
simple fix to the flaw.
Chris Sato, senior director for product management at
Netscape, said the company’s decision to allow a user to
save a password locally was for the user’s convenience. Sato
added that Netscape used a relatively weak encryption
algorithm so that “computer experts could still access the
information in case someone forgot their password.”
Payne noted that the “lack of any real security in
Windows95/98 makes exploiting this particular flaw in
Netscape particularly easy.” In fact, any program running on
the computer has access to the encrypted password, he said.
The algorithm used in Netscape was broken by two people,
RST’s Tim Hollebeek and John Viega, working for eight hours,
without any automation and with very minimal computer
Hollebeek and Viega said carefully chosen passwords were
entered, and the results were examined in a standard
scientific black box approach. The analysts started by
figuring out one character passwords, then used that
information to figure out how two character passwords were
encrypted, and so on. After three letters, a really obvious
pattern emerges, they said.
“This is another illustration of how bad closed,
proprietary, cryptography is,” Bruce Schneier, CTO of
Counterpane Internet Security, said. “What makes this
vulnerability particularly nasty is that people tend to use
the same passwords over and over again.”