Security implications of data recovery
4pm, 23rd September 2007 - Geek, Interesting, Security, Developer, Sysadmin, Legal
After last week's data recovery antics, I started looking at what is actually stored in Firefox's crash recovery file (sessionstore.js) and it appears to be ripe and juicy for a bit of password sniffing. A quick search though the file and I found one of my passwords hiding in plain sight along with the associated username. Although the file has restrictive permissions (600) anyone with admin/root privileges would be able to read it. Anyone who can login with your privileges would be able to read it. Anyone who has access to your computer, even for only a couple of minutes would be able to read that file.
Sure, "root can already do anything" you say, but this allows whoever is root to gain extra privileges. Privileges on another system where he isn't already root. This is your gmail password, your MySpace password, your banking password. Maybe, this is the same password you use for all of your accounts on all your social networking websites.
It doesn't seem to matter whether the password is in a "password" field or just a plain text field and it doesn't matter whether the page is encrypted or not. Your password will be stored, with the username it accompanies, in plain text in your home directory.
This isn't just limited to passwords either. What if you logged in under an anonymous name at some forums somewhere so you could blow the whistle on your corrupt boss without fear of sacking ? What if you were emailing the blueprints to you next invention to the patent office ? What if you were uploading photographs you had taken in secret from your hotel across the road from the US embassy to a Russian spy website ? What if something even more unlikely and implausible were to happen that would be devestating to you if it were discovered you were the culprit ?
The lesson to learn is that if your data can be recovered by you after a crash, it can be recovered by pretty much anyone at any time. If you're a developer, remember this and think about not storing passwords or at least storing them encrypted.
Related posts:
Swedish security researcher exposes plaintext passwords found while sniffing TorHow to recover your data after a crash
A tale of duelling GRUBs and boots.
So many servers, all hacked.
MoneySavingExpert under DDoS attack
Older blog posts:
- 27th Jan, 2009: The Middle Name Guesser
- 15th Jan, 2008: The air powered car
- 30th Oct, 2007: MoneySavingExpert under DDoS attack
- 14th Oct, 2007: Little Bobby Tables
- 13th Oct, 2007: So many servers, all hacked.
- 23rd Sep, 2007: Security implications of data recovery
- 17th Sep, 2007: How to recover your data after a crash
- 16th Sep, 2007: Burning water not so hot after all
- 12th Sep, 2007: Swedish security researcher exposes plaintext passwords found while sniffing Tor
- 27th Aug, 2007: The smoking ban
- 31st Jul, 2007: Eating and watering and generally relaxing
- 29th Jul, 2007: Apocalypse tomorrow
- 2nd Jul, 2007: In search of an English summer
- 30th Jun, 2007: iPhone and Security: Spreading the FUD.
- 9th Jun, 2007: Galumph went the little green frog one day.
- 26th May, 2007: A tale of duelling GRUBs and boots.
- 2nd May, 2007: Distribution and layers
- 22nd Apr, 2007: Dave's rebuttal of Macrovision's response to Steve Jobs' open letter about DRM in iTunes
- 14th Apr, 2007: Much ado about DRM
- 29th Mar, 2007: It's all relative
- 25th Feb, 2007: Minimum wage: minimum job
- 5th Dec, 2006: They took my shower !
- 21st Nov, 2006: How different must a copy be before it is no longer a copy ?
- 17th Nov, 2006: Clever girl...
- 21st Oct, 2006: The Great Croatian Adventure (Part III - The Good Bits)
- 19th Oct, 2006: The Great Croatian Adventure (Part II - Getting back)
- 6th Oct, 2006: Oooooh, shiny !
- 24th Sep, 2006: The Great Croatian adventure (Part I - Getting there)
- 8th Sep, 2006: AAAarrrgh ! Human pop-ups !
- 1st Sep, 2006: Submit, Reset.
- 25th Aug, 2006: Internet Explorer exceeds all expectations.
- 18th Aug, 2006: Sudoku solving version alpha
- 6th Aug, 2006: I don't know whether to be proud or ashamed.
- 5th Aug, 2006: Time to move on
- 30th Jul, 2006: Another part comes to life.
- 10th Jul, 2006: How may I help you today ?
- 25th Jun, 2006: Clawing my way back on to the web
Comments
I just discovered this little applicarion which allows you to retrieve passwords that are stored in password fields in any other application.
This is a perfect example of exactly what I was saying in the last paragraph above. If your application "knows" the user's password then another malicious user can most probably get that password straight out of the application's memory.