I was making a Firefox Extension to quickly check my account balance at one of the banks I use. They have some annoying password policies 6-8 characters [A-Za-z0-9] but they do lock out an account after a couple of failed attempts and require out of band authentication (SMS). So after I finished what should have worked, the response I was getting was constantly bad password or client ID. After some digging I found the password submitted kept changing each time. (I didn’t know it wasn’t my password the first time, because who in the right mind doesn’t use a password manager)
After a few moments of looking over the included scripts I came across this in the JavaScript.
//p is the real password
function NABcrypt(p,k,a) {
//Looks for repeated chars
for (var i=a.length-1;i>0;i--) {
if (i!=a.indexOf(a.charAt(i))) {
a=a.substring(0,i)+a.substring(i+1);
}
}
var r=new Array(p.length);
for (var i=0;i<p.length;i++) {
r[i]=p.charAt(i);
var pi=a.indexOf(p.charAt(i));
if (pi>=0 && i<k.length) {
var ki=a.indexOf(k.charAt(i));
if (ki>=0) {
pi-=ki;
if (pi<0) pi+=a.length;
r[i]=a.charAt(pi);
}
}
}
return r.join("");
}
A simple key based subistution cipher k changes and a is 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.
I’ve only come across something similar before in aSSL (a broken by design transport security). I can’t for the life of me think of why this would be useful, if it is to protect against client side malware, a simple software keylogger would already have the password.
Please don’t do this.
I felt Responsible Disclosure did not apply as there is no risk, transport layer security is implemented.