Internet Explorer discloses FTP access credentials
After downloading an HTML page from an FTP server, users of Internet Explorer should check whether their FTP access credentials have been stored within the document before forwarding or republishing it. Internet Explorer 6 and 7 have the strange habit of embedding the URL source of a HTML document in a comment when this document is saved locally. Furthermore, when an FTP server requiring authentication is accessed, the saved document will not just contain the URL, it will also contain name and password in plain text, for example:
<!-- saved from url=(0042)ftp://name:password@address/test.html -->
Particularly at risk are users building their own web sites, who may accidentally divulge their own access credentials when uploading the revised document onto the FTP server. This problem was first mentioned by Washington Post security expert Brian Krebs in his security blog. When asked about this, Microsoft's reply was that Internet Explorer was not designed to be a full featured FTP client. The URL is apparently embedded in the document so that it can be used to assign a security zone in case the document needs to be opened again locally. Name and password are included because they are part of the valid URL.
To avoid this problem, a dedicated FTP client should be used. Web developers could however use the "saved from" comment to locate forged versions of their pages via Google if the copier hasn't removed the embedded comment.
- Internet Explorer and Your Web Site's Privacy, Brian Krebs' blog entry