Date: Tue, 3 Oct 2006 01:56:23 +0100
From: =?iso-8859-1?b?THXtcw==?= Miguel Silva <lms@ispgaya.pt.>
To: [email protected]Subject: Security flaw in IBM Client Security Password Manager
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_7bj1nvl6gkcg"
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.0.1)
X-WebMail-Company: Instituto Superior Politecnico Gaya
X-Originating-IP: 195.23.160.142
X-Remote-Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
X-Virus-Scanned: antivirus-gw at tyumen.ru
This message is in MIME format.
--=_7bj1nvl6gkcg
Content-Type: text/plain;
charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello all,
I recently found a security flaw in the design of the IBM Client Security
Password Manager (an application used to authenticate application forms usi=
ng
fingerprints).
It came to my attention that the application only recognized my e-bank site=
and
authed against it if i had just created a profile. If i closed the browser =
and
opened a new one, the IBM Password Manager wouldn''t recognize the e-bank s=
ite.
I figured that the password manager mapped its profiles against the "window
name" property of the application.
In this case, the problem was that the bank dynamically changed the window =
title
to the current date.
Since the IBM Client Security Password Manager authenticates by mapping the
window title information, a malicious user could trick another user into
sending his credentials (by phishing, xss or by other simple methods...)
This is very easy to test:
a) using the IBM Client Security Password Manager, create a new profile for=
a
site with a static title (for instance, Horde webmail)
b) create a new site with the same window title and host it *anywhere you l=
ike*
c) go to that site and authenticate against it with the IBM Client Security
Password Manager application.
If you are using Horde (a portuguese version) you can test it in this page:
http://lms.ispgaya.pt/goodies/ibm/
It is actually ironic that, since the IBM application works this way, a use=
r is
better off using the browsers builtin password manager (since it would dete=
ct
that the site isn''t safe / recognized).
Best regards,
+----------------------------------------
| Lu=EDs Miguel Ferreira da Silva
| Network Administrator @ISPGaya
| Instituto Superior Polit=E9cnico Gaya
| Rua Ant=F3nio Rodrigues da Rocha, 291/341
| Sto. Ov=EDdio =95 4400-025 V. N. de Gaia
| Tel: +351 223745730/3/5
| GSM: +351 912671471 +351 936371253
+----------------------------------------
----------------------------------------------------------------
Este email foi enviado via o webmail do ISPGaya
Instituto Superior Polit=E9cnico Gaya
--=_7bj1nvl6gkcg
Content-Type: application/pgp-keys
Content-Description: PGP Public Key
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.2 (GNU/Linux)
mQGiBEIbV7ARBACvJuXZEr4R4lN5xBW25YF1+ANIOg073Axak+3cYKSAvKeB3R7V
DB6CBHyGFdkz12UkOnsscFNl/Xhq88zN3HY+nauXOE+FhPR8U6mCfjcYzKZI6Ds7
IY0dSKss+y+lF2cF+X7Pk3/ZctVuf6U+9XkE8WgH81uHyABMJk2g6l9ukwCgpQ8K
aT1z8ss6/6crViYhARYJ95UD/RvIb3cvGv1CKQLifOzuVYgIW3cJ8IKXAaj0jej1
IwgfBWQylqER1bpp6tkXKKe7a8uSXc6FnsrjeIVZ7CE+jzjjk26JOyOBeMs/PTke
FE8lUE762Bpq2W/COOvd0hhMbSezPso62hY0F9IyTzfQEG2qp+AwybVU/3JVeD2b
0BWIA/0UnP14KZk1CUu1WQAK6oXQXu6YA/2KHSx7/oKinoe3IlxvnMmhmvKys+9Q
rCHhKdrs+oOL5DYMDmp8U+BJqsQJTCXSy/CGoqkir9wqC4F1mJ+26GI7v4qh7kcP
KDr/T6QiIke10zj/QrfwouNVfEGiKN853lZ0tT6EvgzoEjelKrQiTHXtcyBNaWd1
ZWwgU2lsdmEgPGxtc0Bpc3BnYXlhLnB0PohbBBMRAgAbBQJCG1ewBgsJCAcDAgMV
AgMDFgIBAh4BAheAAAoJENXZ+CTczFd8zz0An3U23TsDq1WxOdr9Dg2xNN/Clx+o
AJ4+aDugmROM19RAwZmBu8F3Fy08OrkCDQRCG1e3EAgAjpHHgRg+5qiC6e9eAktV
u7pRfFZhwJyqMDKigkJAIN5iDmB49CfFEJVqlAUeHduNgy6kgaI2BlDXxDs0tnG7
CWjjYc+/mwmO3aAMDWp0ca5PUEnQfKZunfekPLLHc26/Lo9RfMfCcodHpVfVuWMt
Bie4GCwiN/Aq4/fiQJ7my1uF1PEZllxi8FpH5+6OidlSY0Vg2T7KAkqmMgNrF2o0
Av5VL23QB+70Ff91FnlcgJQXNPhhG4fGLUiRgBiKjhARTzf5L1GeLtyh/sfw73nm
iKXpbHUkGhX9UhbApzREGmpfh+MZBW8W6YFqys2zoo5ejePGyeIubiHw3sgAiAPd
LwADBQf/RnDjS6oTX8seTr82XgPK5K9ipWtsqi/ysVSPanoDL3c1TbR7KKPLY2fj
lbuOJ6k+WWibD4B5PmMLM00Kpo9xFYcAJTGeIDCykXap7MPDpQPflIxMpYbZXZ3G
GmdBBerihPz8f4iYqWcl/YXsxs8Z5GMxYhOMIU6P/9dGhEBUJb98lPAeJPrnlWby
5P4VrkSC/4PpK93KEjvSSdYxTQOmaJpmMkwNcjDTT+eNftJ/d8JNXHmGw5p1WHBv
2xNKWSQtyrT3GTXLM9AmbhbZtIUegguiaasgxVW+WZsBS0vDU8+GI0Wk96ih10q2
C7DRrmQCjSTPqZhv+qL8EQeUMqoYBIhGBBgRAgAGBQJCG1e3AAoJENXZ+CTczFd8
ySoAn2g7VU0x03UveIfGP6P340EMmoI0AJ9w4I62OY41Y5rHwoDZOgifGniEyw==
=DqCm
-----END PGP PUBLIC KEY BLOCK-----
--=_7bj1nvl6gkcg--
