Netscape security flaw revealed

Reliable Software Technologies, a Sterling, Va., software-security company, said Tuesday that two RST engineers needed just eight hours to duplicate the mathematical algorithm Netscape Mail uses to scramble users' passwords. The company said the problem affects all current versions of Netscape.

Gary McGraw, vice president for corporate technology at RST, said the Netscape algorithm was "not an obvious sitting duck -- [the password] appears to be scrambled up in a good way, but it's not cryptographically strong." That would allow a determined hacker to reverse-engineer the algorithm and figure out the password.

According to RST, the engineers who found the security hole came upon it inadvertently. They were writing a program "to look for badly protected key material, like passwords," says Dr. McGraw, adding that to test the program's validity, they ran it against Netscape's e-mail system because it's a highly popular software system that millions of people use.

According to Dr. McGraw, the engineers ran their program against their own e-mail accounts and noticed scrambled versions of their passwords in the "registry" files maintained by the Windows operating system.

Algorithm not secure
The passwords recorded in the Windows registry weren't saved verbatim, but scrambled by a proprietary algorithm of Netscape's. But that algorithm isn't secure, RST said. By changing their passwords and then checking the registry file repeatedly, RST's engineers were able to decipher the pattern Netscape used to scramble them.

"We entered in passwords like 'a' and waited to see what would come out," Dr. McGraw said. "Then we kept changing it. Now it's 'a,' now it's 'b,' now it's 'ab.' "

Officials of Netscape, now a division of Dulles, Va.-based America Online Inc. (NYSE: AOL, were concerned by the news but said the unit has no plans to change its algorithm.

Chris Saito, the senior director for product management at Netscape, said that the option to save a password locally was included for convenience. Saito added that Netscape didn't use a stronger encryption algorithm to protect passwords so that "computer experts could still access the information, in case someone forgot their password."

A key contention between RST and Netscape is whether the scrambled password could be retrieved remotely using code written with the Javascript language. According to RST, a user running Netscape Navigator versions 4.0 through 4.04 could have their vulnerable password stripped by a Javascript run by a rogue Web site. That could be particularly dangerous given that many computer users use only one password for many or all applications that they run: In a worst-case scenario, the discovery of a user's e-mail password could give an unscrupulous hacker easy entry into that user's company intranet, online trading account or bank account.

At odds over existance
Netscape and RST remained at odds late Tuesday about whether the Javascript vulnerability really existed.

Netscape's Saito said the company wasn't aware of the vulnerability and added that a "security fix" would be forthcoming if that vulnerability were proved to exist. If the Javascript vulnerability doesn't exist, a password stealer would have to have physical access to a user's computer to figure out the algorithm.

Saito noted that Netscape already has numerous safety features, including a Secure Sockets Layer, which enables users to communicate securely with Web servers, and a protocol for encrypting e-mail messages sent.

Barring the presence of the Javascript vulnerability alleged by RST, Saito said Netscape didn't view the password problem as a security issue, adding that "we can't be responsible for physical access to people's machines."

"As it stands now, we view this as a machine problem, not a Netscape problem," he said.