SecureMac, Inc.

Netscape Navigator for MacOS Security Issue

June 2, 2001

Issue:

Netscape Navigator/Communicator stores passwords in plain text
remote: no
local: yes
published: September 12, 2000
vulnerable:
Netscape Navigator/Communicator 4.x (and all versions?)

Security Issue:

There’s been a lot of security advisories and such about cookies security, but since the mac security is often very different from other operating systems, this is worth of mention.

The problem is in fact very simple, Netscape stores saved passwords as cookies in a file called MagicCookie that can be found in the netscape user folder (different for each user created.) in the Preferences folder of the system folder (System Folder: Preferences: Netscape: …

Netscape Navigator for MacOS Security Issue

Issue:

Netscape Navigator/Communicator stores passwords in plain text
remote: no
local: yes
published: September 12, 2000
vulnerable:
Netscape Navigator/Communicator 4.x (and all versions?)

Security Issue:

There’s been a lot of security advisories and such about cookies security, but since the mac security is often very different from other operating systems, this is worth of mention.

The problem is in fact very simple, Netscape stores saved passwords as cookies in a file called MagicCookie that can be found in the netscape user folder (different for each user created.) in the Preferences folder of the system folder (System Folder: Preferences: Netscape: Netscape users: Username). The file might be present somewhere else on the disk, just search for its name.

The cookies found in the file contain passwords, private information, id’s, etc. All that in plain text, making it very easy for a malicious user to quickly read them or to sniff the passwords if sent over a network.

Fix

A good idea would be not to use the ‘save password’ feature a lot of websites such as Hotmail offer, thus not storing the password as a cookie. Until Netscape finds a better way to store those passwords…

Get the latest security news and deals