Windows Application GUI Masked Password Disclosure

1997-05-05T00:00:00
ID OSVDB:12157
Type osvdb
Reporter OSVDB
Modified 1997-05-05T00:00:00

Description

Vulnerability Description

The Windows application contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to a plaintext password when a password disclosure tool, such as Snadboy's "Revelation", is used on the masked password display. This may lead to a loss of confidentiality, integrity and/or availability.

Technical Description

The application visually displays existing passwords masked, (typically with astericks), however it uses the actual password to draw the astericks. When certain software tools are used on the display, the value behind the astericks can be revealed.

Solution Description

If possible, do not display masked passwords. If displaying a masked password is required, do not use the real password value as "filler" to cause the astericks to display.

Short Description

The Windows application contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to a plaintext password when a password disclosure tool, such as Snadboy's "Revelation", is used on the masked password display. This may lead to a loss of confidentiality, integrity and/or availability.

References:

Secunia Advisory ID:13267 Other Advisory URL: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=31832 Generic Informational URL: http://www.snadboy.com/