TONT 35713 当人们要将安全漏洞作为功能的时候:窃取密码


Sometimes people ask for features that are such blatant security holes I don’t know what they were thinking.


Is there a way to get the current user’s password? I have a program that does some stuff, then reboots the system, and I want to have the current user’s password so I can log that user back in when I’m done, then my program can resume its operation.


(Sometimes they don’t bother explaining why they need the user’s password; they just ask for it.)


Imagine the fantastic security hole if this were possible. Anybody could write a program that steals your password without even having to trick you into typing it. They would just call the imaginary GetPasswordOfCurrentUser function and bingo! they have your password.

想象一下如果这件事成为可能的话,会产生一个多么美妙的安全漏洞。任何人都可以写一段程序来窃取你的密码,甚至不需要欺骗你把密码输进去,只需要调用那个虚构的 GetPasswordOfCurrentUser 方法就好了,一转眼,他们就拥有了你的密码。

For another angle on credential-stealing, read Larry Osterman‘s discussion of why delegation doesn’t work over the network.

或者也可以换个角度来观察凭据窃取这个问题,可以读一读  Larry Osterman 关于为什么代理认证在(内部)网络上行不通的文章。

Even if you didn’t want the password itself but merely some sort of “cookie” that could be used to log the user on later, you still have a security hole. Let’s call this imaginary function GetPasswordCookieOfCurrentUser; it returns a “cookie” that can be used to log the user on instead of using their password.

即便你不是想要密码本身,只是想要个某种形式的『Cookie』用于稍后替用户登录,这样操作同样也是一个安全漏洞。姑且将这个想象中的方法叫做 GetPasswordCookieOfCurrentUser,调用之会返回一个『Cookie』可以在稍后用于替用户登录,而不是直接返回用户的密码。

This is just a thinly-disguised GetPasswordOfCurrentUser because that “cookie” is equivalent to a password. Log on with the cookie and you are now that person.

这不过是前述的 GetPasswordOfCurrentUser 稍稍改头换面了一下而已,因为这个『Cookie』等同于密码,用这个『Cookie』登录之后你就是用户本人了。

(译注:Windows 10 看上去已经有了这篇15年前的文章描述的功能了——设置—账户—登录选项—『更新或重启后,使用我的登录信息自动完成设备设置并重新打开我的应用』,但仅限于系统更新或由系统发起的设备配置,而不是像这篇文章说的那样可以由第三方程序使用,且如果本机加入了域或应用了组策略,则该功能不可用。点击这里查看官方说明。)


电子邮件地址不会被公开。 必填项已用*标注

 剩余字数 ( Characters available )

Your comment will be available after auditing.

Please DO NOT add any links in your comment, otherwise it would be identified as SPAM automatically and never be audited.