HomeBlogsmarkdeveloper's blog

Windows Vista gadgets and AOL username/password

Enable the Subscriptions block here!

Storing your AOL username/password as settings in a Windows Vista gadget is very easy to implement, but not necessarily secure. Last week I posted the XDriveInfo gadget which had a settings page for entering your AOL screenname and password. The password is masked as you type, offering basic 'look-over-the-shoulder' protection.

After getting my gadget to work I started thinking a little more about the security considerations.

When using the Windows Vista settings API the settings are stored in a global, old fashioned INI file.

The file can be found in: 

C:\Users\\AppData\Local\Microsoft\Windows Sidebar\Settings.ini

After looking into this file I found my username and password stored as plain text: 

[Section 56]
PrivateSetting_GadgetName="C:%5CUsers%5CMark%5CAppData%5CLocal%5CMicrosoft%5CWindows%20Sidebar%5CGadgets%5CxDriveInfo.gadget"
PrivateSetting_Enabled="true"
username="markdeveloper"
password="secretpassword"
PrivateSetting_GadgetTopmost="false"
PrivateSetting_SidebarDockedState="Docked"

The settings file is accessible from any other installed gadget (see also settings manager) and is therefor not secure. We need to implement a little JavaScript encryption routine. I looked around on the Internet and found a high quality JavaScript encryption routine by John Walker, but after playing around with it for a short time I found it too complex for my purposes.
Next I found a JavaScript implementation of the Vernam cipher using JavaScript XOR Encryption.
I reimplemented the example as: 

	function encrypt( plainString )
	{
            if ( plainString == "" ) return "";

            var xor_key = 2;
            var result = "";
            for( i = 0; i < plainString.length; ++i)
            {
		result += String.fromCharCode( xor_key ^ plainString.charCodeAt(i) );
            }
            return result;
	}

	function decrypt( encryptedString ) 
	{
            if ( encryptedString == "" ) return "";
            var xor_key = 2;
            var result = "";

            for( i = 0; i <  encryptedString.length; i++)
            {
		result += String.fromCharCode( xor_key ^ encryptedString.charCodeAt(i));
            }
	    return result;
	}

If we now look into the settings.ini file we see: 

PrivateSetting_GadgetName="C:%5CUsers%5CMark%5CAppData%5CLocal%5CMicrosoft%5CWindows%20Sidebar%5CGadgets%5CxDriveInfo.gadget"
PrivateSetting_Enabled="true"
username="l%60sjedwdmnqds"
password="nlodyu"

Download version 1.1.0.0 of the XDriveInfo gadget here.

- Mark Blomsma

Update: Changed the download link to point to Windows Live Gallery.

» Submitted by markdeveloper on October 3, 2007 - 10:15am.