[23208] in bugtraq
Re: MS IE Password inputs
daemon@ATHENA.MIT.EDU (Mattie Casper)
Wed Nov 21 02:10:51 2001
Message-ID: <003901c17255$60cf4eb0$4ec5a518@titan>
From: "Mattie Casper" <mattie@mattie.net>
To: "Jon Embury" <jon.embury@f1solutions.com.au>, <bugtraq@securityfocus.com>
Date: Wed, 21 Nov 2001 00:25:52 -0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Very interesting find, and I can confirm the same thing happens in
IE6.
I can reproduce it by placing the cursor at the beginning of a
password typed-in like "1234 56789 0ABCDE FGHIJK" and then use
CTRL+RIGHTARROW to move through the asterisks just as if the spaces
were there. (CTRL+RIGHTARROW in some applications like IE will move
you to the next 'word' in a textbox.)
This can come in handy when I typo part of a password and don't want
to retype it all, but this does have some slight security
implications.
-Mattie!
Mattie Casper
http://me.mattie.net
----- Original Message -----
From: "Jon Embury" <jon.embury@f1solutions.com.au>
To: <bugtraq@securityfocus.com>
Sent: Tuesday, November 20, 2001 3:28 PM
Subject: MS IE Password inputs
> Just something I've noticed on IE 4 & 5.5
>
> If you enter a password that contains a mix of non-alphabetic and
alphabetic
> characters to an MS IE password input and then use the keyboard to
select it
> while holding down tab the cursor / selected region jumps between
the
> non-alphabetic characters in exactly the same manner as it does when
you
> apply the same technique in word, Interdev, vb etc.
>
> It doesn't reveal the password, but it would seem to reveal at least
some of
> the structure.
>
> Eg
>
> 1 2 3 4 5
>
>
> Jon Embury
> Developer, F1 Solutions
> www.f1solutions.com.au
>
>
