All geek questions in one place

Are passwords written in the input field through the stack trace vulnerable?

I am not a stack trace guru at all. I don’t even know how to get them. In any case, I am wondering if it is safe to enter the password entered in the input field. Can't get it by getting a stack trace?

The password entered in this way will be found in many places:

  • TEdit Label Property
  • The result of the function that creates the input field
  • probably the variable in which the result of the InputBox command is stored
  • etc.

If the answer is “yes, this is vulnerability,” then my world crashes :p . What can be done to avoid this security hole?

NOTE. An InputBox is used as an example, but it may be prompted to enter the "homebrewed" system.
The InputBox is a Delphi command, but I did not mark the question using the Delphi tag, because I assume the question is about any language.

+4
source share
1 answer

This is called the air-tight sunroof problem and is based (at least one of the sources) from the chapter in the Douglas Adams book, The Hitchhiker's Guide to the Galaxy. In it, our two main characters are transported by a large guard and are dumped into the gateway until it is evacuated into space. At some point, one of our main characters says that he has a solution, but "it is more likely connected to the other side of the airtight hatch."

Let me explain.

If you have a cracker that can execute code (or in other ways "be") on your own machine, you have already lost it. There are tons of things that a cracker can do at that moment.

So, your first line of defense should be to prevent bad guys from accessing your computer, if you handle this, security will be much easier.

No, this is not a vulnerability, this is the main way your computer works.

In its simplest form, if someone can access the current stack traces of your program while they are running, this probably means that they connected something like a debugger to your program and can "debug" your program as it launch. A breakpoint could easily capture data from memory, process it, and then resume the program without the user knowing that something had happened, but in practice there is a much simpler way to get this information if you can execute the code on the system .

Now, saying that in .NET and in many other time environments, there is support for attempts to at least make it more difficult, instead of storing the entire string, they intercept one and one keystroke in the input field and encode it along with the rest part of the password so that each character is not saved in text format.

However, the code that handles this becomes very cumbersome to work with, simply because any attempt to get the entire password in text form will make the whole exercise pointless, so if you can’t transfer such encoded passwords to the end of your system, it won’t help .

In .NET, the System.SecureString class in question.

However, if a bad guy can execute code on your platform, what prevents him from intercepting keystrokes and simply combining them together to form your password?

Here are some links with examples of similar questions:

You can say that I'm a fan of Raymond Chen.

+21
source

Source: https://habr.com/ru/post/1309096/

More articles:


All Articles