IE5 Bug Circumvents Passwords

Security hole may threaten those who share PCs.

Matthew Nelson and Bob Trott, InfoWorld Electric

• Email
• RSS
• 0 Comments

The bug occurs when one user accesses a Web site that does not employ standards-based HTTP cache controls, thereby enabling another user on the same machine to view the same password-protected site visited by the first user and cached on the PC--without entering the original user's log-in and password.

The password itself would not be viewed.

Some users believe the bug has the possibility of being an annoying problem.

"If the [local] cache is compromised in such a way as to allow secure data to be accessed without using proper credentials--or in this case, without any credentials at all--then you have a big problem," said Scott Schnoll, a Portland, Oregon-based Windows developer.

Manual Work-Arounds

Schnoll said work-arounds exist for the bug, such as manually emptying the local cache, or configuring IE5 to automatically purge the cache when it is closed.

"The best solution would be in the form of a patch from Microsoft," Schnoll said. "It would be nice if IE5 users were able to take advantage of the benefits of a local Web cache without having to worry about security breaches such as this."

Microsoft is investigating ways to address this issue in a future release, the company said.

• Sponsored Resource:Improve your network with the right mix of features, performance and pricing.
• Sponsored Resource:Growing your business requires the right tools. Dell's networking servers can help.
• Sponsored Resource:Thinking about a new Laptop? Lenovo has models to meet everyone's needs.
• Sponsored Resource:Twitter: A how-to guide for using Twitter as a business tool.
• Sponsored Resource:Smartphone security threats are on the rise. Is it time to safegaurd your device?

For more IT analysis and commentary on emerging technologies, visit InfoWorld.com. Story copyright © 2007 InfoWorld Media Group. All rights reserved.

• Email
• Print
• RSS