Security flaw in IBM Client Security Password Manager

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Security flaw in IBM Client Security Password Manager
From: Luís Miguel Silva <lms@xxxxxxxxxx>
Date: Tue, 3 Oct 2006 01:56:23 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Internet Messaging Program (IMP) H3 (4.0.1)

Hello all,

I recently found a security flaw in the design of the IBM Client Security
Password Manager (an application used to authenticate application forms using
fingerprints).

It came to my attention that the application only recognized my e-bank site and
authed against it if i had just created a profile. If i closed the browser and
opened a new one, the IBM Password Manager wouldn''t recognize the e-bank site.

I figured that the password manager mapped its profiles against the "window
name" property of the application.

In this case, the problem was that the bank dynamically changed the window title
to the current date.

Since the IBM Client Security Password Manager authenticates by mapping the
window title information, a malicious user could trick another user into
sending his credentials (by phishing, xss or by other simple methods...)

This is very easy to test:
a) using the IBM Client Security Password Manager, create a new profile for a
site with a static title (for instance, Horde webmail)
b) create a new site with the same window title and host it *anywhere you like*
c) go to that site and authenticate against it with the IBM Client Security
Password Manager application.

If you are using Horde (a portuguese version) you can test it in this page:
http://lms.ispgaya.pt/goodies/ibm/

It is actually ironic that, since the IBM application works this way, a user is
better off using the browsers builtin password manager (since it would detect
that the site isn''t safe / recognized).

Best regards,
+----------------------------------------
| Luís Miguel Ferreira da Silva
| Network Administrator @ISPGaya
| Instituto Superior Politécnico Gaya
| Rua António Rodrigues da Rocha, 291/341
| Sto. Ovídio ? 4400-025 V. N. de Gaia
| Tel: +351 223745730/3/5
| GSM: +351 912671471 +351 936371253
+----------------------------------------

----------------------------------------------------------------
Este email foi enviado via o webmail do ISPGaya
Instituto Superior Politécnico Gaya

Attachment: binXreO4yzr8X.bin
Description: PGP Public Key

Prev by Date: Re: WebspotBlogging => 3.0 Remote File Include Vulnerabilities
Next by Date: Re: [Full-disclosure] IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])
Previous by thread: [ MDKSA-2006:178 ] - Updated ntp packages rebuilt against updated openssl.
Next by thread: Re: [Full-disclosure] IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])
Index(es):
- Date
- Thread