Re: tlug: Cache cow security hole

[Darren Cook <darren@example.com>]

>Here's a site everybody should check out, if they haven't already seen it.
>It is possible to suck out all of Netscape's cached information, including
>credit card numbers (yup, it saves those!) without your knowing it.

Credit card numbers is a bit of an exaggeration. "about:cache" only shows
URL's, which means it would only store form information if submitted with
"GET", which is very unusual (if you did that your credit card number would
be in any proxies it passed through, and the server logs as well). I just
tried a "POST" form, and none of the information I submitted is there.

I wonder how Netscape are going to stop this problem without disabling
useful functionality? I suppose you could stop submit() being called from
an onLoad() command, which is always likely to be devious.

Darren

---------------------------------------------------------------
Next Meeting: 10 October, 12:30 Tokyo Station Yaesu central gate
Featuring the IMASY Eng. Team on "IPv6 - The Next Generation IP"
Next Nomikai: 20 November, 19:30  Tengu TokyoEkiMae 03-3275-3691
---------------------------------------------------------------
Sponsor: PHT, makers of TurboLinux http://www.pht.co.jp