Hello all, I recently found a security flaw in the design of the IBM Client Security Password Manager (an application used to authenticate application forms using fingerprints). It came to my attention that the application only recognized my e-bank site and authed against it if i had just created a profile. If i closed the browser and opened a new one, the IBM Password Manager wouldn''t recognize the e-bank site. I figured that the password manager mapped its profiles against the "window name" property of the application. In this case, the problem was that the bank dynamically changed the window title to the current date. Since the IBM Client Security Password Manager authenticates by mapping the window title information, a malicious user could trick another user into sending his credentials (by phishing, xss or by other simple methods...) This is very easy to test: a) using the IBM Client Security Password Manager, create a new profile for a site with a static title (for instance, Horde webmail) b) create a new site with the same window title and host it *anywhere you like* c) go to that site and authenticate against it with the IBM Client Security Password Manager application. If you are using Horde (a portuguese version) you can test it in this page: http://lms.ispgaya.pt/goodies/ibm/ It is actually ironic that, since the IBM application works this way, a user is better off using the browsers builtin password manager (since it would detect that the site isn''t safe / recognized). Best regards, +---------------------------------------- | Luís Miguel Ferreira da Silva | Network Administrator @ISPGaya | Instituto Superior Politécnico Gaya | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio ? 4400-025 V. N. de Gaia | Tel: +351 223745730/3/5 | GSM: +351 912671471 +351 936371253 +---------------------------------------- ---------------------------------------------------------------- Este email foi enviado via o webmail do ISPGaya Instituto Superior Politécnico Gaya
Attachment:
binXreO4yzr8X.bin
Description: PGP Public Key