|
|
Internet Config for MacOS Weak Password Encryption Vulnerability
Solution: Do not use the password storage feature of Internet Config. From the Internet Config FAQ: IC does provide the ability for applications to share preferences. Any information you enter into Internet Config can be accessed by any other software you execute on your machine. This includes preferences like the email password. You should be aware that such passwords are available to any software on your computer. IC stores passwords in a non-secure fashion. While each password is scrambled to prevent idle viewing with ResEdit, the scrambling algorithm is publicly documented in the IC Programming Kit. Anyone with a trivial programming background can access these passwords. Note: This situation is no different from the passwords you enter into other applications. When you ask a program (such Users & Groups) to store a password, it must be stored in some file somewhere on your hard disk. The only difference is that IC provides a public API for getting at these passwords. The important thing to keep in mind is that you should not install software that you do not trust on your machine. Note: If you ignore this advice (and install software you do not trust on to your computer), password secrecy is the least of your problems. Specifically, the Mac OS does not prevent a program from erasing the entire contents of your hard disk. If you want to know which applications are accessing which IC preferences, you can install ICAccess Logger (ftp://ftp.stairways.com/stairways/hacks/). |
|
Privacy Statement |