‐59‐
9.4.2– AutoComplete Information
The AutoComplete of Internet Explorer is intended to save userstimebyrecording
information the user types to the browser such as website addresses, form information
including username/password combinations, and search queries. Previous versions of
InternetExplorerencryptedAutoCompletedatabyusingtheWindowsProtectedStorage
APIPStore73.ThedataisencryptedusingtheTripleDESalgorithmfromthe
CryptoAPI
74.Althoughthisalgorithmisconsideredtobesecure,accesstotheencrypteddataistied
to a user’s Windows
logon credential
75. In a typical system, this is provided by
calculatingthehashof theuser’spassword.Once the useris loggedin, any programcan
accesstheunencrypteddatabyusingthePStore
API.Thisposesaserioussecurityriskand
soMicrosofthasoptedtonowstoreencryptedAutoCompletedatausingtheData
ProtectionAPIDPAPI76.
DPAPI provides software developers with OS‐level data protection services. This allows
developers to create applications that can secure data by simply using function calls to
DPAPI rather than having to write their own application‐specific cryptographic code. As
with PStore, thepassword used in the encryption/decryption processis the user’s logon
credential. However, DPAPI allows applications to use an additional password when
protectingdata,therebyovercomingthevulnerabilitiesofPStorebyhinderingtheabilityof
oneapplicationtocompromiseanotherapplication’sencryptionkey.
AllofthedatastoredforAutoCompletefieldsi.e.AutoCompletestringsfordataformsis
stored in the
HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage1
registrykey.ItisheldasanencryptedlistofHTMLformfieldnamesandthecorresponding
datatheuserenteredinthatfield.Unfortunately,thenameorURLoftheWebpageisnot
cached. For example, if a user visits
http://www.google.co.uk/ and types the search
query “TEST1”, Internet Explorer will only cache the AutoCompleteentry“TEST1”
assuming the corresponding AutoComplete option is enabled as wellastheformfield
name“q”asthisistheformfieldnameassignedtotheinputboxontheGoogle
homepage.