CNET también está disponible en español.

Ir a español

Don't show this again


Software security firm claims flaw in Netscape email

Reliable Software Technologies says it has discovered a flaw in Netscape Navigator's email system that exposes user passwords.

Software security consulting firm Reliable Software Technologies (RST) said it has discovered a flaw in Netscape Navigator's email system that exposes user passwords.

In an eight-hour period, the Dulles, Va.-based firm's engineers were able to duplicate the algorithm used to scramble an individual's mail password, the company claims.

"There is a better algorithm out there that could be used by Netscape that would raise the bar much higher than the one they're using now," said Gary McGraw, vice president for corporate technology at RST. "I guess they're acting like it's a silly algorithm but there is no perfect solution so [they'll] stick with this. I think they should say there is no perfect solution so let's have a better algorithm."

Representatives from Netscape, a unit of America Online, were unavailable for comment.

In some versions of Netscape, the scrambled password can be retrieved remotely using Javascript, RST said. Access to passwords could potentially lead to malicious use of an individual's mail and allow further access to protected business-critical information systems where the same password is used.

Many people use their email password as their password for other applications, both at work and at home. A malicious attacker could use the victim's password, gleaned from an insecure home machine, to log on to other corporate systems, the company warned.

The attacker can then take control of the machine, read sensitive information, use the account to attack more privileged accounts, and set up a remote monitoring system inside a corporate network.

For a Netscape mail password to be decoded, a small program must be run on the computer where the password is saved, the company explained.

So far, the workaround is that users should refrain from saving their passwords to avoid having them sent to the preferences file where attackers can access them.