Passwords Hidden in Plain Sight

While users may forget their passwords easily, computers, like elephants, never forget. The persistence of that memory could pose a security problem if staff with limited access privileges were to figure out how to access the plain text passwords in the computer's database, says Abhishek Kumar, who authored a paper about this vulnerability. No incidents of this exposure being exploited are yet known to have occurred, he says, "but it could happen very soon if we do not plug this vulnerability."

The problem arises because passwords are typically encrypted while on a hard disk but are sometimes not encrypted in memory. "Thus attackers with local access to the system can read and extract passwords" using free tools such as memory viewers, explains Kumar, a researcher with Web-security company Paladion, which is based in Mumbai, India.

If users with limited privileges gained access to those passwords, they could fool the computer into treating them as high-level users. "Escalation of privileges is a common method of attack where a low privileged user exploits a vulnerability to become an administrator or a higher privileged user," the paper notes.

Kumar advises companies to be aware of this vulnerability, and he recommends that vendors be notified immediately if this hole is discovered by any users. @ "Discovering Passwords in the Memory" is available through SM Online.