http://abcnews.go.com/sections/tech/DailyNews/iehole990315.html New Web Browser Feature May Put Private Info At Risk Internet Explorer 5.0 users might be vulnerable to hackers if they enter credit cards and other information using the browser's AutoComplete feature. (A.Shepherd/ABCNEWS.com) By Michael J. Martinez March 15 A new feature in the latest edition of Microsoft's Internet Explorer Web browser could make personal information available to other people accessing your computer, either in person or online. Security experts say the "AutoComplete" feature in Internet Explorer 5.0, which records and reproduces the information a user enters into online forms (such as an e-commerce order form or a contest entry), could potentially be accessed by hackers posing as the computer's primary user. "If someone does indeed gain remote access to your computer, you might indeed run into a vulnerability there," acknowledges Mike Nichols, program manager for Internet Explorer at Microsoft. Nichols stresses, however, that no such attacks on IE 5.0 have been documented. The AutoComplete feature can be disabled by the user. Convenience vs. Security The new feature in IE5, which will be formally launched Thursday, is an extension of the AutoComplete feature from past browsers. In previous versions of IE, typing out the first few letters of a previously accessed URL brings the entire address up. This feature has been extended to online forms. So, for example, if a user buys a book at an online bookstore, entering the first few letters of his or her name prompts the browser to enter the complete name. The same goes for other information, including passwords, phone numbers and credit card numbers. Such information is encrypted and stored in the Windows Protected Store, a file that is part of the Windows operating system. Each user on a workstation or personal computer has his or her own encrypted storage area, tied to his or her password. "This is a secure environment," Nichols says. "If you're not logged in, nobody can access it." Breaking and Entering Remote access is another matter. There are a number of so-called "exploits" - downloadable programs that serve as hacking tools - that allow remote users to gain control of a computer as if the remote user was actually sitting at the computer and logged in. The exploit called "Back Orifice," introduced by the hacker group Cult of the Dead Cow last summer, is one of many different tools that can take a variety of forms. "If the user can type a few characters and have the rest filled in for him, a program can be written to simulate a user doing the same thing," says DilDog, a hacker with L0pht Heavy Industries, a hacking and security consulting group in Boston. "It's a useful little widget, but it suffers greatly if it is used to store sensitive information." DilDog, who discovered and publicized a number of security flaws in IE4, says the AutoComplete issue would probably be the least of a users' worries if someone gains remote access to their computer. Nevertheless, he calls it a "bad idea" to access sensitive information through the browser. Protecting Yourself Users who feel their computers might still be vulnerable are often encouraged to keep personal information - financial files, correspondence, etc. - on a floppy disk to avoid having someone rifle through them. The AutoComplete hole could allow a remote hacker to check the browser for sensitive information. "This could very well be a new problem," says Peter Tippett, president of ICSA, Inc., a computer security consulting business. "When someone accesses your computer without you knowing it, a lot of things could go wrong." Safe Computing Practices Use anti-virus software and a screen saver. Don't open programs (usually with .exe extensions) sent via e-mail from unknown sources. Don't download anything from unfamiliar Web sites. Make sure to update your software with security patches. Those are commonly available online through the software vendor.