Essentially I described how a malicious website could steal their visitors names, job title, workplace, physical address, telephone number, email addresses, usernames, passwords, search terms, social security numbers, credit card numbers, and on and on by manipulating a Web browsers HTML form auto-complete / autofill functionality. For good measure I also showed show a Web page could evict all of a users cookies thereby automatically logging users out of all their current sessions, delete tracking cookies, and so on. Lastly, with only clever bits of of javascript, these attacks impact millions of Web users cheaply via online advertising networks. Yes, a lot of fun.
My complete “Breaking Browsers: Hacking Auto-Complete” slide deck is available. I’ve put up a series of blog posts describing each of the distinct Web hacking techniques complete with proof-of-concept code, screen shots, videos, and technical explanations. Enjoy!
- Safari v4/v5 AutoFill Web form vulnerability (CVE-ID: CVE-2010-1796)
- Internet Explorer 6 & 7 stealing AutoComplete form data
- Firefox mass spoofing form auto-complete data
- Stealing passwords out of the Firefox and Chrome password manager using XSS.
- Cookie Eviction - Deleting ALL of a users cookies across ALL websites
Other closely related Auto-Complete / AutoFill bugs:
5 comments:
Is going into the browsers security/personal settings and deleting previously stored sensitive passwords enough to prevent them being compromised or are they still stored and vulnerable to the techniques detailed above even after being deleted by the user.
Is going into the browsers security/personal settings and deleting previously stored sensitive passwords enough to prevent them being compromised or are they still stored and vulnerable to the techniques detailed above even after being deleted by the user.
@Benji: That depends on the browser you are using. IE 6/7 and Safari have not been properly patched. IE8/9, Chrome, and Firefox are generally going to be the best choices to protect your auto-complete data. For passwords though, all are susceptible in some way. You might consider a third-party password manager to use instead.
Thank you for the reply Jeremiah.
Can I ask, just to clarify, is turning off the auto-complete and password manager options in a browser like Firefox or Chrome (that I use) then deleting (through the browsers dialog box) previously stored passwords and auto-complete data, mean that (even if the my browser is compromised) the data won't be there to steal because it's been deleted and won't be inadvertently re-captured because the Auto-Complete and Password Remembering functionality has been turned off?
I'm sorry if I'm being dense. But your article was a wake-up call as my main email account and even some internet banking data was auto-completing. So I've taken the steps detailed above to protect myself and am now entering this data manually every time. I'd like to be able to recommend my friends do the same so I need to know if taking the steps above actually makes a difference.
Thanks Again.
@Benji: Yes. If you disable the auto-complete features and remove the data, then if you machine / browser is compromised in some way, that data will not be lost -- because it doesn't exist. However, if you machine is hacked, you likely have bigger problems than auto-complete. Best to keep secure is all facets.
For myself, I think securing a piece of paper with my passwords is easier and safer than anything on my computer. Food for thought.
Post a Comment