Windows Explorer exposes passwords in plaintext -- more details

[Guest Brian Knittel]

In August I reported that Windows Explorer can put the password to an FTP

site into your URL history in plaintext when you use Explorer to view a

password-protected FTP directory (e.g. one that does not permit anonymous

access). I have a little more information about this now.

 

The issue occurs only on XP SP3, and only under limited circumstances. One

way to have it occur is to double-click a ZIP file in the FTP directory

view. Explorer appears to invoke Internet Explorer to download the file, IE

passes the downloaded file back to Explorer, and Explorer opens and displays

the ZIP. Somewhere in this process, the password to the FTP site is stored

in plaintext in the URL history, and will appear for example in the autofill

list if you type "ftp:" into the Address bar. Also, the password is saved

this way whether or not you checked "Save This Password" in the password

dialog.

 

The issue does not occur with (most? all?) other file types, and does not

occur if you simply drag a ZIP file from the FTP folder onto your desktop or

another local folder. In this case, the credential mananger operates

correctly: the account name but not the password appears in the URL saved in

the history, and the password is only saved -- elsewhere and invisibly -- if

you had checked "Save This Password" in in the password dialog.

 

Kim Cameron at Microsoft took an interest in this, has reproduced the

problem, and reports that they're working on the issue. For now, if you're

using XP SP3, a workaround is to never double-click files (or at least,

never double-click ZIP files) in a remote FTP directory displayed by

Explorer -- use drag and drop, then open the local copy.

 

Regards,

Brian

[Guest PA Bear [MS MVP]]

[Forwarded to WinXP General as an FYI]

 

Brian Knittel wrote:<span style="color:blue">

> In August I reported that Windows Explorer can put the password to an FTP

> site into your URL history in plaintext when you use Explorer to view a

> password-protected FTP directory (e.g. one that does not permit anonymous

> access). I have a little more information about this now.

>

> The issue occurs only on XP SP3, and only under limited circumstances. One

> way to have it occur is to double-click a ZIP file in the FTP directory

> view. Explorer appears to invoke Internet Explorer to download the file,

> IE

> passes the downloaded file back to Explorer, and Explorer opens and

> displays

> the ZIP. Somewhere in this process, the password to the FTP site is stored

> in plaintext in the URL history, and will appear for example in the

> autofill

> list if you type "ftp:" into the Address bar. Also, the password is saved

> this way whether or not you checked "Save This Password" in the password

> dialog.

>

> The issue does not occur with (most? all?) other file types, and does not

> occur if you simply drag a ZIP file from the FTP folder onto your desktop

> or

> another local folder. In this case, the credential mananger operates

> correctly: the account name but not the password appears in the URL saved

> in

> the history, and the password is only saved -- elsewhere and invisibly --

> if

> you had checked "Save This Password" in in the password dialog.

>

> Kim Cameron at Microsoft took an interest in this, has reproduced the

> problem, and reports that they're working on the issue. For now, if you're

> using XP SP3, a workaround is to never double-click files (or at least,

> never double-click ZIP files) in a remote FTP directory displayed by

> Explorer -- use drag and drop, then open the local copy.

>

> Regards,

> Brian </span>

[Guest Anteaus]

Re: Windows Explorer exposes passwords in plaintext -- more detail

 

This has been the case for a very, very long time, probably since IE3 came

out in the mid 90's. I daresay that IE is not the only browser to do this,

either.

 

A mitigating factor is that FTP is not a particularly secure service anyway.

Although, a significant risk exists where a common password is used for ISP

webspace, email and other functions -as is often the case with broadband

packages- since in this instance exposing the password allows more than just

FTP.

 

"PA Bear [MS MVP]" wrote:

<span style="color:blue">

> [Forwarded to WinXP General as an FYI]

>

> Brian Knittel wrote:<span style="color:green">

> > In August I reported that Windows Explorer can put the password to an FTP

> > site into your URL history in plaintext when you use Explorer to view a

> > password-protected FTP directory (e.g. one that does not permit anonymous

> > access). I have a little more information about this now.

> ></span></span>