Firefox 0.9.3 false safety

Stage 1:
I signed up for a free account at nytimes.com, and said yes in both browsers to remember the password.

Observations:
At least Firefox, and probably IE encrypt both the username and the password.

In Firefox's case, I haven't done any exploration of the encryption method. I will get to it later. For starters, it stored everything in c:\Documents and Settings\<username>\Application Data\Mozilla\Firefox\Profiles\aer7j1o6.default\signons.txt. The info it stored appears thusly in the file:

Quote:

---

#2c
http://www.antionline.com
.
http://www.nytimes.com
USERID
MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECM0Ru06n5UpCBAhw6jd+7Exfjg==
*PASSWORD
MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECFKX05abTK1IBAj0HQsw2RFJbQ==
.

---

Whatever it is using to salt the encryption algorithm generates a consistent first 45 bytes of data, with only the last 25 bytes variable. Interestingly, I used the password and username the same, but it still provided different encryption results (though it does help to explain the similarities, I would venture). This is definitely not a simple base64_encode(), it is definitely encrypted. How, I am not sure, and am going to save for another day, just like I'm going to save playing with the rest of IE for another day. :)

In IE's case, all that is held outside the "Protected System Storage" is the ID for the site, which is stored in:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Intelliforms\SPW as a DWORD called "8[H=?2N=/5BLV #", or "38 5b 48 3d 3f 32 4e 3d 2f 35 42 4c 56 20 23" in hex.

I'll append more on this when I get the opportunity.

Nice work, like i said, i'll have to work a lot these days, like i am doing now, but as soon as i have the time i will surely get into it ;)

Stage 1 (continued):
Today I was playing around and I found a utility that will actually just outright display to you all of the information in your Protected Storage area, which is kind of amusing. http://www.nirsoft.net/utils/pspv.html

To understand why it works requires a bit of working knowledge on how the whole Protected Storage bit seems to work. Note: this is based on guesswork, but it is educated guesswork. :) It seems that it uses something of your user credentials (user/pass) to generate a key with which it encrypts a whole bunch of data -- not just autocomplete entries. Other things like private keys, keypairs for remote authentication, etc., are all stuffed in there as well. This is an important thing to understand because it explains why the security around the Protected Storage area should actually be incredibly strong, but is overall rather weak. I say weak because the system is designed such that all of the information you need to decrypt the Protected Storage contents exists on the machine. You can crack a system password given enough time, and once you have that, you have all the contents.
The real problem comes in when you consider that this is provided by Windows itself, and is designed to prevent people from breaking into the system if they steal a copy of the registry off the hard drive. Functionality must be exposed through some API (perhaps the MS Crypto API?) that will allow you to write some of your own data to the Protected Storage.

Unfortunately, what this means is if you can get Windows running as either Administrator or your victim, you can easily run such a tool and break the Protected System Storage -- without having to crack any encryption.
Now, just because I've found such a tool doesn't mean I'm going to stop playing around and seeing how things are encrypted and such. I did say I was going to try and do it manually (under the assumption that the above two cases are NOT possible), and I'm going to stick to that. The next step is to visit MSDN and see what Microsoft has to say about third party developers sticking stuff in there. :)

Guess I forgot to mention: Yes, PSPV worked well for me, it yanked the Autocomplete entry and showed me the username and password. For proof, and since I really don't care about the account, see the attached image. Yes, there was no other stuff, remember, this is a fresh XP install. :)

Edit #2: Well, that didn't take long. 10 seconds for MSDN to return a result for Protected Storage API as a search string.
http://msdn.microsoft.com/library/de...og/ipstore.asp

Edit #3: As a side note, I was grepping around last night for the user/pass from linux, and I found that nytimes.com's signup, when you make an error, includes the passwords on the form page after you've submitted once and generated a problem (ie: not filling out a field that's required). What happened was the browser I signed up there with had a copy of the form page in its cache. Def. not a good looking result for the nytimes.com developers.

hi,

i already had the tool pspv.exe and i did try to follow what it does too.
i also have a copy of iekey.exe from passware.
the link above is a demo, but as you can see this program uses a completely different approach then the pspv.exe tool.. (try it with regmon).

i'm working on firefox atm and have run it through w32dasm (took about 10 minutes to disassemble on my centrino 1600mhz, 1gb memory notebook),i wanted to attach the output file, but even in a zip file it still is 16,2 mb's!
i'm now trying to figure out how the encryption works ;)

i'll keep you posted!