[4454] in WWW Security List Archive
Re: Removing info from a PC cache
daemon@ATHENA.MIT.EDU (Darren Cook)
Sat Feb 15 03:45:01 1997
To: www-security@ns2.rutgers.edu
From: darren@factcomm.co.jp (Darren Cook)
Date: Sat, 15 Feb 1997 15:08:41 +0900
Errors-To: owner-www-security@ns2.rutgers.edu
>Our technical folks here believe the reload button would defeat the random
>session id tactic. If we're missing something obvious, please let me know!
Good point. I did not think of them using BACK to go as far back as the
initial password form.
How about this:
1.I know the time&date of their last web access, which is after they
submitted the password form.
2.When I give them the password form, include a hidden with the current time.
3.If they try to submit a password form which has a time earlier than their
last access, ignore it (and send back a fresh password form :-).
A clever hacker could go directly into the cache and get the password out,
and log in the normal way. I cannot see any way round this last one.
Could someone sit down at an Internet Cafe, download their 'cache-hacker'
software using ftp (I'm assuming the cafe have disabled the floppy drive
already), then run it to get the passwords out?
Maybe cafe's should have a policy to clear the browser cache between each
customer.
The situation is worse in a company situation (you cannot expect people to
clear their cache's each time they go to the toilet) except that you are
more likely to notice the guy with the dark glasses, sitting at Suzy the
secretaries machine, typing in a suspicious manner.
Darren
