Concerns about the Security Level of the NAV Service Credential Typ "AccessControlService"

Ben_DysonBen_Dyson Member Posts: 18
Hi All

After a previous post helped me to resolve an issue:
https://forum.mibuso.com/discussion/68152/how-to-clear-single-sign-on-credentials

I was reminded by a colleague of a security issue with the WebClient. We've seen that if you start a session with one user, you can copy the cookies etc from their IE temp files and drop them into your own temp files and carry on as the other user without re-authenticating.

We raised this with Microsoft and they didn't accept this as an issue, as users shouldn't be able access these files from another user.... OK, it's a valid point but it doesn't stop it being a security flaw.

So on realising that when using AccessControlService shared credentials, I'm concerned that I could copy the IE temp files and put them on my machine, then NAV would just load as the other user without prompting me for any credentials.

So before I have to make a local system just to test this, I was hoping that someone had already confirmed this? Also if it is an issue, I'm sure you'd all like to know.

Regards

Ben

Best Answer

Answers

  • Ben_DysonBen_Dyson Member Posts: 18
    Thanks Ama.
Sign In or Register to comment.