tag:blogger.com,1999:blog-13756280.post6099989686762016470..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Stealing AutoComplete form data in Internet Explorer 6 & 7Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-13756280.post-43175116001249469952010-08-03T11:09:40.393-07:002010-08-03T11:09:40.393-07:00This is first time I am listening this thing first...This is first time I am listening this thing first time that how some one can steal the auto complete form data. But it can occur in many countries.D. Ebt Reliefhttp://www.debtrelieftips.org/noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-59372680692280074862010-08-02T09:07:33.449-07:002010-08-02T09:07:33.449-07:00I don't know if you know/try this but I create...I don't know if you know/try this but I create sometime ago a quick demo to steal logging details from IE: <a href="http://www.equilibrioinestable.com/ie8/" rel="nofollow">http://www.equilibrioinestable.com/ie8/</a><br /><br />Cheers!Pedro Lagunahttps://www.blogger.com/profile/14465712337568938230noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-60953876388167416322010-08-02T08:57:55.019-07:002010-08-02T08:57:55.019-07:00@Anonymous: While not directly familiar with brows...@Anonymous: While not directly familiar with browser internals (the code), I'd largely agree with your assessment. Asking a browser developer to constantly do checks for synthetic events is also just asking for mistakes -- major security mistakes. Various vendors would be wise to have a deeper look into this, but I have no idea if they are or not. BizLog vulns like this have not been historically popular to get the bottom of.<br /><br />Thanks for your comment!<br /><br />Please email me if you can for a follow-up...Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-64733080891155513172010-07-31T05:32:49.784-07:002010-07-31T05:32:49.784-07:00https://bugzilla.mozilla.org/show_bug.cgi?id=53454...https://bugzilla.mozilla.org/show_bug.cgi?id=534541<br /><br />Bruteforcing domains to get all passwords/usernames.<br /><br />reported it 9/10 month ago, they didn't understand it at first post, but later they did.<br /><br />Enjoyed the talk anyway!<br /><br />Itzhak.Zukhttps://www.blogger.com/profile/05696533480735906317noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-7706913468458099132010-07-30T12:00:34.698-07:002010-07-30T12:00:34.698-07:00Jeremiah, let me elaborate on my comment. I want ...Jeremiah, let me elaborate on my comment. I want to push on this harder. I think it's important to do a root-cause analysis on these kinds of security vulnerabilities. It's not enough to stop at fixing a single bug: we should always be asking ourselves what we can do to take an entire category of security bugs off the table. And in this case, it looks like the autocomplete bug illustrates a deeper architectural flaw in the handling of input events.<br /><br />The short-sighted way to react to this bug would be to say "Oh, the browser provides a way for developers to check each input event to determine whether the input event is real or synthetic. The developer should have checked whether the event was synthetic before acting on it, but didn't; there's your problem. Pilot error. As long as developers always check for synthetic events everywhere they read an input event, all is well." That's short-sighted, because it is an unsafe-by-default architecture.<br /><br />I think what I'm hearing is that, the way IE is implemented, synthetic input events internally look identical to real input events, unless the developer adds some extra code to check specifically for that. Well, to me that seems nuts. From a security perspective, it sounds like a poor design decision.<br /><br />If I'm understanding right, why aren't people jumping on this architectural flaw? It sounds like this is an issue of broader significance than just this autocomplete bug: as long as browsers use such an architecture, then we should expect to continue to see bugs of this sort.<br /><br />It also sounds like it's not just IE; it sounds like Firefox may use a similar architecture. See, e.g., <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=511615" rel="nofollow">bug #511615</a> and <a href="https://bugzilla.mozilla.org/attachment.cgi?id=398471&action=diff" rel="nofollow">the fix</a> (which is to sprinkle checks <b>if (!IsEventTrusted(aEvent))</b> in dozens of places -- what are the odds that they got every place that needs it, and that this will remain true as Firefox code evolves?). So it sounds like Firefox is also using a rather dubious architecture.<br /><br />Am I missing something? I know very little about browser internals, so I'm trying to infer from what information I can find -- and maybe my inferences are faulty.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-57675020830453555242010-07-30T07:44:38.620-07:002010-07-30T07:44:38.620-07:00@Kyler: Indeed. maybe if the Web just becomes simp...@Kyler: Indeed. maybe if the Web just becomes simply too hazardous for IE 6/7, people will finally move. We'll see.<br /><br />@Anonymous: That is exactly the case. Somehow the browser developer needs to be able to determine the difference between real UI events and synthetic ones. And yes, other browsers have been shown vulnerable.<br /><br />@Paul Stone: You know, I that that disclosure when I was doing all my research last year! Nicely done. :)<br /><br />@soroush would be nice if we had an easier way to crawl the web too see if the black hats were using these things. maybe some day.<br /><br />@Notice Forms: Anything modern is safer than IE 6/7. Google Chrome, Firefox 3.7, IE8, etc. They all have security/privacy trade-offs, but overall solid browsers.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-15810658466047236382010-07-30T03:57:43.250-07:002010-07-30T03:57:43.250-07:00I have still been using IE 6, After reading this a...I have still been using IE 6, After reading this article, i have downloaded IE 8 and feeling save..you were really great in helping the people using IE. Are the other browsers like Mozilla and opera safe to use?Notice Formshttp://www.sampleforms.org/category/notice-formsnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-65395630258116620232010-07-30T01:41:45.525-07:002010-07-30T01:41:45.525-07:00Nice implementation again :)
Some vulnerabilities ...Nice implementation again :)<br />Some vulnerabilities really need to have proof of concept to be fully discovered! I think by searching in google we can find some other 0day (design flaws) as well! but it is not easy sometimes to implement them correctly ;)<br />Although a bug is not something that we make it ourselve, we can look at its finding process as a patent :D<br />Thanks for sharing some cool ideas.soroushhttp://soroush.secproject.com/blog/noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-43962705723376447172010-07-30T01:08:06.479-07:002010-07-30T01:08:06.479-07:00I found pretty much the same problem in Firefox la...I found pretty much the same problem in Firefox last year:<br /><br />http://www.mozilla.org/security/announce/2009/mfsa2009-52.html<br /><br />At the time I also checked IE8 and Chrome to see if they were vulnerable. After finding that they weren't I moved onto other things, but it seems I should have been more persistent :)Paul Stonenoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-27562620359588946922010-07-29T22:27:43.743-07:002010-07-29T22:27:43.743-07:00IE6 and IE7 let Javascript create synthetic keypre...IE6 and IE7 let Javascript create synthetic keypress events and send them to the browser, as though the user had typed them? That's sick. Do other browsers allow that?<br /><br />Seems like the broader lesson is that allowing Javascript to ever programmatically create UI input events is a really bad idea. It throws the trusted path principle to the wind.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-75191263166288177432010-07-29T11:13:01.827-07:002010-07-29T11:13:01.827-07:00Another good reason to upgrade to the latest, safe...Another good reason to upgrade to the latest, safest version of Internet Explorer.<br />You can download Internet Explorer 8 here:<br /><br />http://www.microsoft.com/windows/internet-explorer/worldwide-sites.aspxKyler IE Outreach Teamhttp://www.twitter.com/IEnoreply@blogger.com