From time to time we hear that electronic commerce, particularly via the World Wide Web, will revolutionize the way that business is done. Many people, fearing electronic fraud and imposture, remain suspicious of the technologies involved and refrain from using them. In an effort to allay such fears and to offer a secure environment for electronic transactions, Sun is developing the Java Wallet, which they believe will provide solutions to the manifold problems of electronic commerce.
We understand that in the near future Netscape may leave its Java Security largely in the hands of outside firms who will develop plug-in Java Runtimes for their browsers. One such plug-in has already appeared and is available: Sun's Java Plug-in (formerly known as Project Java Activator). Perhaps the most significant application to require the Java Plug-in is the Java Wallet.
Most readers are aware of the numerous security problems discovered in the past two years in Java-enabled web browsers. Hostile applets remain a threat, even in the latest browsers, and third parties who claim to offer tools to bolster security frequently fail to do so. Thus there is a real need to scrutinize all types of Java-based products for security problems and to candidly report those problems in a public forum. This has the desirable dual effects of alerting users to threats and bringing market pressure to bear on vendors who continue to offer flawed products as secure solutions. In keeping with this line of thinking, we have recently taken a hard look at Sun's Java Wallet. The following applets demonstrate that they have a long way to go before they can claim to offer a secure electronic commerce product.
Applications that save login and password data for your convenience are always tempting targets. Unfortunately, Sun's Java Wallet offers this feature, and we found that it is easy for an untrusted applet to recover any saved information. This example shows how an applet can discover the Java Wallet's home on a user's machine. This necessarily contains the user's home directory (according to the user.home property). The example also shows that an applet can read the Java Wallet's properties file (jecf.properties). This allows the applet to gather saved user login data and "decrypt" saved passwords.
To test this applet, you first need to set up Sun's Java Plug-in and Java Wallet, and you need to create and save a wallet as the default for auto-login. We set up a wallet with a login name "dummy" and password "easy2read," and then we ran our applet. This yielded some very interesting information. You can also read the source code to see where the problem lies.
This example demonstrates how an untrusted applet can alter the behavior of the Java Wallet's "Help Contents" button. On Solaris systems this allows the applet to execute commands via Netscape's Communicator when that button is pressed.
In order for the "Help Contents" button to function at all, the user must have already set the property jecf.browser.path in the file jecf.properties. Since this is an apparently unadvertised feature of the Java Wallet, a second applet runs on the same page as the BookMarker and prompts the user to set that property. Note that this applet runs via the Communicator's own Java Runtime and that it uses Netscape's security apparatus to display Netscape's certificate along with its own message.
In order to try these applets, you need to set up Sun's Java Plug-in and Java Wallet along with Netscape's Communicator (4.04 or 4.05) on a Solaris system. You should also have Sun's Purchase 1.1 Java Wallet cassette and a Java Wallet user set up. Then you should be able to run the applets.
Helper.java retrieves private information about Netscape's System Principal by creating a handy encoder. It then creates a fake System Principal and uses that to display Netscape's certificate along with a message asking you to verify that jecf.browser.path is properly set in jecf.properties. If this social engineering effort works, the Java Wallet's "Help Contents" button will function and be able to do the applet's bidding.
BookMarker.java first downloads bogus Java Commerce Messages to start the Java Wallet. Once the Java Wallet is started, the applet can gain access to the field JECF.globals.releaseBundle and set that to a new ListResourceBundle of its own construction. The bogus Java Commerce Messages cause the Java Wallet to display a phony message about an internal test along with instructions to press the "Help Contents" button for more information. If you do so, the applet then adds a bookmark to the Hostile Applets Home Page to your bookmarks.
Note that on Solaris systems lots of other options are available to the applet. Using the "-remote" flag allows the applet to run any of the Communicator's "xfeDoCommand" options. Using the "-java" flag allows the applet to have the Communicator's Jave Runtime execute any Java program in your CLASSPATH. For example, this particular ListResourceBundle allows the applet to set up a ServerSocket and echo server on your machine. Clearly the ability to change the behavior of the "Help Contents" button can lead to much mischief.
This example shows how an untrusted applet can exploit the Java Wallet to access the serial and parallel ports on your machine. This particular example, DemonDialer.java, first looks at all of the available ports on your machine. When it discovers a serial port, it lists some of that port's properties. If a given serial port is free, the applet opens it and looks to see if a modem might be attached. If so, the applet sets some modem properties and then dials out. If the serial port is not free, or if something goes wrong, the applet sleeps for 10 seconds before trying again. The applet also resurrects itself in case of ThreadDeath and keeps going.
While this applet merely dials a toll-free number and waits 60 seconds before hanging up, it is easy to make the applet run up charges on your phone bill, connect to an evil modem with a computer waiting to attack your machine, and many other nasty things. Note that the applet will keep dialing out, so you will have to exit your browser in order to bring it to a halt. If you download the applet over your modem, the applet will lurk in the background and attack once your modem is not in use.
To try this applet, you first need to set up Sun's Java Plug-in and Java Wallet on a machine running Windows NT or Windows 95. It works for both Netscape's Communicator (4.04 and 4.05) and Microsoft's Internet Explorer (4.0 and later). If you still want to try this applet, you'll have to do so at your own risk.