Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Just because you read it on the Internet, does not make it true

May 23rd 2007 in Uncategorized

I came across a blog entry about Internet Explorer which draws assumptions about how the program stores ‘autocompete’ passwords that are simply wrong.


Here is the URL:
http://www.ecommerce-blog.org/archives/internet-explorer-auto-complete-stores-your-passwords-unencrypted/


For whatever reason, the blog’s author seems to have come to the incorrect conclusion that because his “password managing program” was able to access and display his stord usernames and passwords that this therefore meant that IE stores autocomplete passwords in “a single flat-file that is unencrypted and can be easily read by a variety of program(s)”.


The author’s conclusions are incorrect.  IE7 DOES encrypt autocomplete data.  Yes, there are programs out there that can retrieve the stored data, but reality is the data *is* encrypted, and is *not* in a “flat file” (whatever the heck that means).


IE uses Protected Storage (and later Data Protection API (DPAPI)).  To quote a Techet article:


“The Protected Storage service protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users. The service provides a set of software libraries that allow applications to retrieve security and other information from personal storage locations as it hides the implementation and details of the storage itself.


The storage location that is provided by this service is secure and protected from modification. The Protected Storage service uses the Hash-Based Message Authentication Code (HMAC) and the Secure Hash Algorithm 1 (SHA1) cryptographic hash function to encrypt the user’s master key. This component requires no configuration.”


Source: http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch07n.mspx


To give you an idea of how IE stores passwords, have a look at this registry key – yes, that’s Protected Storage in action:


HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2


To give you an idea of how IE protects sensitive data, have a look at this registry key:


HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs


A big difference, yes?


So, to reiterate, yes there are programs out there that can retrieve the encrypted username and password data stored by IE, BUT, the data *IS* encrypted and it is *NOT* a “single flat file”.


More information about Protected Storage / DPAPI:
http://msdn2.microsoft.com/en-us/library/aa925034.aspx


2 comments to...
“Just because you read it on the Internet, does not make it true”

Jim Pickering

Hi Sandi:

Did you see the info at this link:
http://feeds.feedburner.com/~r/wired27b/~3/119045593/dell_google_sec.html

Jim



sandi

Jeez. No I did not.

I’ve said it before, and I’ll say it again – Google is the next Evil Empire.


Symptoms:
Your system may appear to become unresponsive when Windows Update or Microsoft Update is scanning for updates that use Windows installer, and you may notice that the CPU usage for the svchost process is showing 100%.
When you try to install an update from Windows Update or from Microsoft Update, you experience the following symptoms:
• Your […]

Previous Entry

I’ve been writing articles for Microsoft since 2004, yet I still feel a thrill when they are published.  My latest article, written for the “Windows Help and How-To” site, is lead article for “Spotlight on Vista”.
You can find the article here:http://windowshelp.microsoft.com/Windows/en-US/help/a426bb85-708c-4b75-87e2-874f9be3b4aa1033.mspx
Help and How-To Site:http://windowshelp.microsoft.com/Windows/en-US/default.mspx

Next Entry

Archives