Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


New Web Browser Feature May  
Put Private Info At Risk   
Internet Explorer 5.0 users might be vulnerable to  
hackers if they enter credit cards and other  
information using the browser's AutoComplete  
feature. (A.Shepherd/  
By Michael J. Martinez  
March 15  
A new feature in the latest edition of Microsoft's Internet Explorer Web browser   
could make personal information available to other people accessing your computer,   
either in person or online.  
Security experts say the "AutoComplete" feature in Internet Explorer 5.0, which   
records and reproduces the information a user enters into online forms (such as   
an e-commerce order form or a contest entry), could potentially be accessed by   
hackers posing as the computer's primary user.  
"If someone does indeed gain remote access to your computer, you might indeed run   
into a vulnerability there," acknowledges Mike Nichols, program manager for   
Internet Explorer at Microsoft.   
Nichols stresses, however, that no such attacks on IE 5.0 have been documented.   
The AutoComplete feature can be disabled by the user.  
Convenience vs. Security  
The new feature in IE5, which will be formally launched Thursday, is an extension   
of the AutoComplete feature from past browsers. In previous versions of IE, typing   
out the first few letters of a previously accessed URL brings the entire address   
up. This feature has been extended to online forms.   
So, for example, if a user buys a book at an online bookstore, entering the first   
few letters of his or her name prompts the browser to enter the complete name. The   
same goes for other information, including passwords, phone numbers and credit   
card numbers.  
Such information is encrypted and stored in the Windows Protected Store, a file   
that is part of the Windows operating system. Each user on a workstation or   
personal computer has his or her own encrypted storage area, tied to his or her   
"This is a secure environment," Nichols says. "If you're not logged in, nobody   
can access it."  
Breaking and Entering  
Remote access is another matter. There are a number of so-called "exploits" -   
downloadable programs that serve as hacking tools - that allow remote users to   
gain control of a computer as if the remote user was actually sitting at the   
computer and logged in. The exploit called "Back Orifice," introduced by the   
hacker group Cult of the Dead Cow last summer, is one of many different tools   
that can take a variety of forms.  
"If the user can type a few characters and have the rest filled in for him, a   
program can be written to simulate a user doing the same thing," says DilDog, a   
hacker with L0pht Heavy Industries, a hacking and security consulting group in   
Boston. "It's a useful little widget, but it suffers greatly if it is used to   
store sensitive information."  
DilDog, who discovered and publicized a number of security flaws in IE4, says   
the AutoComplete issue would probably be the least of a users' worries if   
someone gains remote access to their computer. Nevertheless, he calls it a   
"bad idea" to access sensitive information through the browser.  
Protecting Yourself  
Users who feel their computers might still be vulnerable are often encouraged   
to keep personal information - financial files, correspondence, etc. - on a   
floppy disk to avoid having someone rifle through them.   
The AutoComplete hole could allow a remote hacker to check the browser for   
sensitive information.   
"This could very well be a new problem," says Peter Tippett, president of   
ICSA, Inc., a computer security consulting business. "When someone accesses your   
computer without you knowing it, a lot of things could go wrong."   
Safe Computing Practices  
Use anti-virus software and a screen saver.  
Don't open programs (usually with .exe extensions) sent via e-mail from unknown   
Don't download anything from unfamiliar Web sites.  
Make sure to update your software with security patches. Those are commonly   
available online through the software vendor.