Netscape security flaw revealed
Reliable Software Technologies, a Sterling, Va., software-security company, said Tuesday that two RST engineers needed just eight hours to duplicate the mathematical algorithm Netscape Mail uses to scramble users' passwords. The company said the problem affects all current versions of Netscape.
Gary McGraw, vice president for corporate technology at RST, said the Netscape algorithm was "not an obvious sitting duck -- [the password] appears to be scrambled up in a good way, but it's not cryptographically strong." That would allow a determined hacker to reverse-engineer the algorithm and figure out the password.
Officials of Netscape, now a division of Dulles, Va.-based America Online Inc. (NYSE: AOL, were concerned by the news but said the unit has no plans to change its algorithm.
Chris Saito, the senior director for product management at Netscape, said that the option to save a password locally was included for convenience. Saito added that Netscape didn't use a stronger encryption algorithm to protect passwords so that "computer experts could still access the information, in case someone forgot their password."
A key contention between RST and Netscape is whether the scrambled password could be retrieved remotely using code written with the Javascript language. According to RST, a user running Netscape Navigator versions 4.0 through 4.04 could have their vulnerable password stripped by a Javascript run by a rogue Web site. That could be particularly dangerous given that many computer users use only one password for many or all applications that they run: In a worst-case scenario, the discovery of a user's e-mail password could give an unscrupulous hacker easy entry into that user's company intranet, online trading account or bank account.
At odds over existance
Netscape and RST remained at odds late Tuesday about whether the Javascript vulnerability really existed.
Netscape's Saito said the company wasn't aware of the vulnerability and added that a "security fix" would be forthcoming if that vulnerability were proved to exist. If the Javascript vulnerability doesn't exist, a password stealer would have to have physical access to a user's computer to figure out the algorithm.
Saito noted that Netscape already has numerous safety features, including a Secure Sockets Layer, which enables users to communicate securely with Web servers, and a protocol for encrypting e-mail messages sent.
Barring the presence of the Javascript vulnerability alleged by RST, Saito said Netscape didn't view the password problem as a security issue, adding that "we can't be responsible for physical access to people's machines."
"As it stands now, we view this as a machine problem, not a Netscape problem," he said.