Windows Explorer may expose FTP passwords in plaintext

Windows Explorer may expose FTP passwords in plaintext
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Windows Explorer may expose FTP passwords in plaintext Brian Knittel 07-18-2008
Posted by Brian Knittel on July 18, 2008, 4:08 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
If you use Windows Explorer to open an FTP site that requires a password,
Explorer may display the password in clear text in the future through the
autocomplete feature in Explorer's Address bar. I've tried this on one XP
SP3 machine and the password DOES appear, but on another XP SP3 machine only
the username appears. Steps to reproduce:

1. Open Windows Explorer and if necessary enable the display of the Address
bar

2. In the Address bar, enter the URI of an FTP server that does not permit
anonymous access and on which you have an account, e.g.
ftp://host.domain.com/myfolder

3. Windows Explorer will prompt you for a username and password, and then
will display the folder contents

4. Close Windows Explorer, then open Windows Explorer again.

5. In the Address bar, type ftp:

At this point autocomplete should kick in and display the URI with at least
your username and maybe the password displayed in clear text, e.g.

ftp://username:password@host.domain.com/somefolder

The version with the username and password don't appear in the Address bar's
MRU dropdown, but just in prompts popped up by autocomplete. The password
does not seem to appear in plaintext in the Registry.

As I said, have one machine that reliably shows the password, and another
that doesn't.

Does anyone else find that the password is displayed?

(No need to discuss the insecurity of FTP itself--that's not the issue
here. This is about the potential for exposing previously used passwords on
the desktop)



Posted by S. Pidgorny on July 18, 2008, 9:11 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
So the risk it that the user's own password is displayed to the user?

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

> If you use Windows Explorer to open an FTP site that requires a password,
> Explorer may display the password in clear text in the future through the
> autocomplete feature in Explorer's Address bar. I've tried this on one XP
> SP3 machine and the password DOES appear, but on another XP SP3 machine
> only the username appears. Steps to reproduce:
>
> 1. Open Windows Explorer and if necessary enable the display of the
> Address bar
>
> 2. In the Address bar, enter the URI of an FTP server that does not permit
> anonymous access and on which you have an account, e.g.
> ftp://host.domain.com/myfolder
>
> 3. Windows Explorer will prompt you for a username and password, and then
> will display the folder contents
>
> 4. Close Windows Explorer, then open Windows Explorer again.
>
> 5. In the Address bar, type ftp:
>
> At this point autocomplete should kick in and display the URI with at
> least your username and maybe the password displayed in clear text, e.g.
>
> ftp://username:password@host.domain.com/somefolder
>
> The version with the username and password don't appear in the Address
> bar's MRU dropdown, but just in prompts popped up by autocomplete. The
> password does not seem to appear in plaintext in the Registry.
>
> As I said, have one machine that reliably shows the password, and another
> that doesn't.
>
> Does anyone else find that the password is displayed?
>
> (No need to discuss the insecurity of FTP itself--that's not the issue
> here. This is about the potential for exposing previously used passwords
> on the desktop)
>
>



Posted by Stefan Kanthak on July 19, 2008, 12:45 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> So the risk it that the user's own password is displayed to the user?

Apparently you missed the point -- COMPLETELY!

1. A previously entered password must NEVER be displayed to any user.

2. Think of a shared computer in a public place.

Stefan


Posted by Steve Riley [MSFT] on July 20, 2008, 12:23 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Please understand the science here. If a protocol is insecure on the wire,
then there's zero benefit in trying to hide any aspects of that protocol
conversation on the individual computer itself. Besides, the displayed
password (retrieved from the URL history in this case) is displayed only to
the particular user who's logged on. If some other user logs onto the PC,
then that user can't see the first user's history (local admins excepted, of
course).

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



>
>> So the risk it that the user's own password is displayed to the user?
>
> Apparently you missed the point -- COMPLETELY!
>
> 1. A previously entered password must NEVER be displayed to any user.
>
> 2. Think of a shared computer in a public place.
>
> Stefan
>

Posted by Alun Jones on July 20, 2008, 2:16 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> Please understand the science here. If a protocol is insecure on the wire,
> then there's zero benefit in trying to hide any aspects of that protocol
> conversation on the individual computer itself. Besides, the displayed
> password (retrieved from the URL history in this case) is displayed only
> to the particular user who's logged on. If some other user logs onto the
> PC, then that user can't see the first user's history (local admins
> excepted, of course).

Your first two sentences are a bit of a copout, Steve.

Plenty of people use FTP securely - say, for instance, over an encrypted
VPN, or over IPsec.

As for the remaining sentences, it's worth noting that in most other places
where you enter a password, the password is blanked out, even though it is
indeed your own password.

The old "my password? yeah, it's eight stars" joke reminds us that
passwords, where they can be recognised as such, should always be hidden
from view. Otherwise, shoulder-surfing gets much easier.

Or are you planning on spreading this message throughout Windows, and having
the logon screen echo the password back to the user as they type it?

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.



Similar ThreadsPosted
Should "windows explorer" be in firewall as a security alert May 27, 2005, 10:03 am
Using windows explorer 7 e-mails won't display graphics or web lin September 6, 2006, 4:29 pm
domain tree view in windows explorer December 4, 2006, 10:27 am
explorer opens on startup, C:\WINDOWS\SYSTEM32 June 5, 2007, 2:36 pm
Windows Internet Explorer 7 beta - Security Warnings June 2, 2006, 11:50 am
Can we "stored user names and passwords" in Windows XP Home Edition? December 16, 2005, 5:57 am
The Microsoft Internet Explorer Weblog The Microsoft Internet Explorer Weblog IEBlog June 4, 2007, 5:52 pm
explorer.exe..??? June 27, 2005, 6:58 pm
IE Explorer November 7, 2005, 6:06 am
Internet Explorer 6 September 28, 2006, 6:09 pm

The site map in XML format XML site map

Contact Us | Privacy Policy