Credentials (UN)Management in home banking.

Pierluigi Paganini October 24, 2017


Out of the five main information security pillars, namely confidentiality, integrity, availability, authenticity and irrefutability, common users give more attention to the first one. But in real life even though in general people agree with the importance of backup, not many actually implement this security mechanism. What one says and what one do is not the same.

Nowadays, the concern with espionage acts grew with Snowden´s case, and that fact can be easily checked with media coverage of the case. From the mass coverage media such as The Huffington Post, The Washington Post, through information security expert Bruce Schneier, all bring insight about the impact of the information disclosed by the former NSA employee.

With that in mind, one can ask himself the question “how secret is my secret?”.

This paper is a brief of the full research The leakage of passwords from home banking sites: A threat to global cyber security? –Jounal of Payments Strategy and Systems Vol 11 Number 2 By Rodrigo Ruiz; Rogério Winter; Kil Jin Brandini Park; Fernando Amatte

We Got Something…

Account information of various websites were recovered. AS A CLEAR TEXT!

Figure 1.

banking 1

Figure 1 – Citibank USA account information (“&username=userciti” and “&password=citipaswt”) recovered from disk.

Web Forms

Web forms defines the way users can interact with a website. The user enters some data, text or numbers in specific fields, clicks the submit button and waits for a response. All forms share this basic behavior and HTML commands are standard. Each development framework have its own way to generate forms, but they are not responsible to provide any kind of security on it.

A basic html web form will look like this:

HTML code

<form method="POST" action="">
            <br>User : <input type="text" name="user" size="20">
            <br>Password: <input type="password" name="password" size="20">
            <br><input type="submit">

Considering this basic HTML form, one question remains: where is the security behind it?

Who Should Worry?

Users, developers, companies, and organizations of any size.

One should think about the implications of a password disclosure. The effects vary, according to the service, but ranges from espionage, sabotage and even unlawful money transfers.

Thus anyone that own, manage or use websites that requires identification and authentication should worry, since with this method if an attacker acquires access to the user machine he can easily search for those account information in a matter of hours.

Am I Really Protected?

Usually, the traffic of data is the main concern when the focus is in confidentiality. Thus, the encryption of the communication channel is largely used.

As an example, in the application network layer, the HTTPS protocol is used to provide that confidentiality.

Another safety measure is to forbid the use of weak passwords and to avoid plain text storage of passwords on servers.

But none of the above really matters if username and passwords are recorded as plain text on the client side. And in this paper, we proved that this happens with many internet web service providers.

How Was The Job Done?

First, it is important to notice that we need physical access to the disk for this method to work. We will discuss this matter further on the topic of possible protection from this flaw.

After navigation and authentication on the tested sites, we began by searching for a previously known string (the bogus password) on the disk. For the test performed we chose passwords that were not previously used on the tested machine in order to avoid false positives.

For that end we used a tool to search for strings on the disk with raw access, not caring for the particularities of the file structures or filesystem.

Making it Automatic

After the proof of concept, we tried to extract signatures for each service tested (websites visited).

We began with some bogus account information on various websites. With that, we extracted account signatures of some websites as see in Table 1:

banking 2

Table 1 – Signature of the Account Identification for Some of the Tested Sites.

The signatures allowed the carving of data from the disk, through the usage of the Foremost program, a forensic tool for extraction of files – “data carving” – of different formats.

This tool works as follows: It reads a block of data in memory, disk or files and looks for signatures related to files of well-known formats. The search showed the possibility of unveiling username and password previously used on the system:

The tests are still happening, and the same results were gathered from other sites like webmail (Figure 2), banking, government and military sites:


Figure 2 – Login Information from Gmail (“mail?”)

Where Did We Find it?

In Internet Explorer´s case, the following directories and files contained the recovered information about authentication:

\users\user\appdata\local\microsoft\internet Explorer\recovery\last active\

\users\usuário\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\


In Chrome, Firefox and Safari´s case, the only file that contained the recovered information about authentication was Pagefile.sys. That proves that in their case the leakage of login information is due to the operating system´s paging process.

In the tests conducted with a Brazilian banking site, the following files contained the recovered information about authentication:

\Program Data\gpplugin\cef\bank.gbl.??

\users\usuário\appdata\local\microsoft\windows temporary\wk9???\adsadclient31.htm

About the Inspiration of This Research

From some previous work, the authors demonstrated that the browser’s functionality that promises anonymous browsing (e.g Internet Explorer´s In Private, Firefox´s Private Browsing, Chrome´s Incognito Mode and Safari´s Private Mode) show in certain circumstances flaws that allow an attacker to extract information about sites visited by the users.

In the first paper, “Tornando Pública a Navegação In Private”(Making InPrivate Navigation as public), published on the proceedings of the seventh international conference on forensic computer science, we tested for several conditions the anonymous browsing functionality of the browsers Internet Explorer 8 and Firefox 8.0.1 running inside virtual machines. We were able to recover, using data carving forensic techniques, images and page fragments that allowed the identification of the pages visited by the users as see in Figure 3:


Figure 3 – One of the images recovered from disk after user navigation. The image was completely recovered but for copyright reasons is only partially displayed.

It is possible to see a fragment of a webpage recovered from disk after user navigation. Source:  Tornando Pública a Navegação In Private (RUIZ, AMATTE and PARK).

<h2><a href=””

rel=”bookmark” title=”Permanent Link to Ned

Flanders e Edna Krabappel”>Ned Flanders e Edna


<div class=”post-title-info”>Autor: Felipe &nbsp;|&nbsp;

Categoria: <a href=””

title=”Ver todos os posts em Informa



facebook-icon01.jpg” alt=”A favor” /></a> <a

href=””><img src=”http://

jpg” alt=”Contra” /></a></p>

This work was extended and published on the proceedings of the International Conference on Information Security and Cyber Forensics as Opening the “Private Browsing” Data – Acquiring Evidence of Browsing Activities. The paper included the following browsers: Internet Explorer 10, Firefox 24.0_1, Google Chrome 30.0.159969M_1 and Safari 5.1.7_1. The base guest virtual machine for each browser was replicated 4 times, each to be used in the four different tests performed on each browser:

  • Test S (Shutdown): Consists of visiting a web site available on the internet, making operations to interact with the site, finish the execution of the browser correctly and generating the virtual machine image for analysis.
  • Test F (Freeze): Consists of visiting a web site available on the Internet, making operations to interact with the site and with the browser still active, generating the virtual machine image for analysis.
  • Test K (Kill process): Consists of visiting a web site available on the internet, making operations to interact with the site, requesting that the operating system interrupts the browser execution and generating the virtual machine image for analysis.
  • Test P (Power down): Consists of visiting a web site available on the internet, making operations to interact with the site, requesting the virtualizer to turn off the virtual machine – simulating a power outage – generating the virtual machine image for analysis.

The results obtained showed no significant changes from the first research:

Table 2 – Results for Safari Browser

F Test K Test P Test S Test
Page address recover Yes Yes Yes Yes
Pic recover No Yes Yes Yes

Table 3 – Results for Fire Fox Browser

Teste F Teste K Teste P Teste S
Page address  recover Yes Yes Yes Yes
Pic recover No Yes Yes Yes

Table 4 – Results for Chrome Browser

F Test K Test P Test S Test
Page address  recover Yes Yes Yes Yes
Pic recover No Yes Yes Yes

Table 5 – Results for IE10

F Test K Test P Test S Test
Page address  recovery Yes Yes No Yes
Pic recovery No No Yes No

How to Avoid It?

As previously stated, physical access to the disk is needed for this method. That could lead to the assumption that the use of cryptography would render the method useless. But this is not entirely true.

It is easy to notice that a malware running in the user machine could collect and send the banking account information gathered while the machine is in use (and thus with decrypted data in memory and disk).

So it becomes clear that other techniques are needed in order to avoid it.

Why Use a KeyLogger?

From that perspective, it is easy to notice that instead of a keylogger (that would need to wait until the user typed the account information), it is more effective to develop a malware that will search the disk for the signatures extracted. As a matter of fact, we already have a proof of concept, implemented using the Foremost forensic tool, that does exactly this.

More on the Subject

We also conducted tests on Linux and Safari and on mobile Android systems and were able to recover username and passwords on them.

It is important to notice that no unlawful actions were conducted, as no penetration tests were done. All username and password tested were personal or invalid/bogus.

Also noteworthy is the fact that when possible, we contacted the companies and organizations about this issue.


As previously stated, no amount of safety measures is enough when account information is stored as plaintext on the client side. We proved that this happens with major internet service providers.

Because of this finding, banking account information can be easily disclosed, and a keylogger is no longer needed. It is easier and more effective to carve the data from the disk.


 Rodrigo Ruiz is   researcher at CTI – Information Technology Center Renato Archer, Campinas, Brazil. In addition, he as the co-author of Apoc@lypse: The End of Antivirus. He has also authored papers about privacy and security for Cyber Defense Magazine, Cyber Security Review, JCSM, 2600 Magazine, US Cybersecurity Magazine, ICCYBER, ICCICS, WCIT2014, YSTS, IJCSDF, ICISCF, SIGE, JPSS. , [email protected]

Rogério Winter is colonel at the Brazilian Army and head of Institutional relations of CTI Renato Archer with more than 25 years of experience in military operations and cybersecurity. He is master degree in Electronic Engineering and Computation by Aeronautics Technological Institute-ITA, dedicates to the warfare issues, cybernetics, command and control, and decision-making process and he is co-author of Apoc@lypse: The End of Antivirus.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Banking, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment