New Browser Security Flaw Discovered By Will Rodger March 27, 1997 10:09 AM EST Inter@ctive Week Online Internet browsers set up to protect users' credit card numbers from theft are unwittingly handing out those numbers to untold numbers of other Web sites as visitors follow links from those sites to other, insecure ones, officials from Netscape Communications Corp. and Microsoft Corp. confirmed Wednesday. The hole, though thus far unexploited, now appears to be the most serious flaw yet discovered in the way Internet browsers handle confidential information over the Internet. "The place people will crack it is not the places people worry about security but the ones they don't," said Daniel Klein, a Pittsburgh-based consultant who discovered the hole earlier this month. "This is a big hole." Officials at Netscape and Microsoft, though, said a software fix may not emerge for weeks. "We're looking into what can be done now for users of Explorer 3.0," Microsoft spokesman Jerry Dale said. Nonetheless, a final fix doesn't seem certain before summer, he said. Security experts warned users might not have that long. "This is a serious problem," said Eugene Spafford, director of the Computer Operations, Audit, and Security Technology program at Purdue University in Indiana. "This isn't a good response because it's not clear how many other people are going to be impacted by it." But Steven Bellovin, a computer security researcher at AT&T Corp. labs, warned Microsoft and Netscape could find the problem difficult to surmount. "The reality of software engineering making a quick and dirty fix to a large program is likely to cause more problems than it fixes," he said. "First you have to decide what the fix is." The flaw is part of the way browsers from Microsoft and Netscape handle information passed from the user to Web sites that require visitors to fill out order forms on the Web. When many sites ask for users' credit card information, they exchange that data in encrypted format to keep computer vandals from "sniffing" the connection to steal that information. Programmers often use a command known as the GET protocol to carry out their transactions. The procedure has generally proven reliable. But if a visitor who has just filled out a secure form then clicks on a highlighted link to another Web site, all bets may be off. The information that Web user typed in securely suddenly gets transferred to the logs of the next machine, credit card numbers and all. And since those logs serve only to tell the next computer where the visitor was last, that information is often open to hackers, whether the rest of the site is protected or not. Worse still, all the original information is sent unencrypted. The flaw is restricted to those secure machines that use GET in the first place. "It's like you've gone to the restaurant with your lover," Klein said, "The restaurant is there, it's private, yet when you leave the restaurant you have the menu in your hand and there's food all over your shirt." No one knows how many sites are affected by the flaw, but the number is potentially large. Indeed, none of the security experts contacted knew of the problem before it was discovered by Klein. To be sure, there are remedies for the flaw. Instead of sending visitors directly to pages linked from theirs, Web site operators can automatically send users to an in-house dummy page that would then direct users to the desired destination on the Net. Alternately, Web designers could use another command known as Post to do their work. But the Post command is tougher to use, and implies rewriting Internet code designed to sum the total of shopping "baskets." What's more, most programs use the GET command by default. Users finally, can protect themselves by typing in Internet addresses manually instead of using links from "secure" pages. Eric Greenberg, Group Security Product Manager at Netscape, said his company was looking closely at the problem, but had to precede cautiously, since improperly written changes could jeopardize the functioning of many sites that were written, assuming the flaw was still there. Greenberg could give no timeline for a software patch. "If I put something into the browser that broke four of your 10 favorite sites on the Net, how would you feel?" he said. Netscape's ultimate solution, he said, would "involve looking at the standard education efforts" the company has always used to alert programmers of new developments at Netscape along with a possible change in the Navigator code. "Any security issue we have is serious," he said. "We'll act accordingly." Netscape can be reached at www.netscape.com Microsoft can be reached at www.microsoft.com