Featured Articles

IHS teardown reveals Galaxy S5 BOM

IHS teardown reveals Galaxy S5 BOM

Research firm IHS got hold of Samsung’s new flagship smartphone and took it apart to the last bolt to figure out…

More...
Galaxy S5, HTC One M8 available selling well

Galaxy S5, HTC One M8 available selling well

Samsung’s Galaxy S5 has finally gone on sale and it can be yours for €699, which is quite a lot of…

More...
Intel lists Haswell refresh parts

Intel lists Haswell refresh parts

Intel has added a load of Haswell refresh parts to its official price list and there really aren’t any surprises to…

More...
Respawn confirms Titanfall DLC for May

Respawn confirms Titanfall DLC for May

During his appearance at PAX East panel and confirmed on Twitter, Titanfall developer Respawn confirmed that the first DLC pack for…

More...
KFA2 GTX 780 Ti Hall Of Fame reviewed

KFA2 GTX 780 Ti Hall Of Fame reviewed

KFA2 gained a lot of overclocking experience with the GTX 780 Hall of Fame (HOF), which we had a chance to…

More...
Frontpage Slideshow | Copyright © 2006-2010 orks, a business unit of Nuevvo Webware Ltd.
Friday, 23 July 2010 08:28

Critical weaknesses found in four browsers

Written by Nick Farell


Safari, IE, Chrome and Firefox
The autocomplete features in Safari, IE, Firefox, or Chrome are vulnerable to ID theft and other attacks.

Insecurity expert Jeremiah Grossman is expected to tell a Black Hat conference that the four major browsers have critical weaknesses that have yet to be addressed by their respective companies, and could expose users' passwords, e-mail addresses, and more to attackers.

Grossman will show off a proof-of-concept attack at next week's conference but said that he is only doing so because he could not get the four main software outfits involved to take his hack seriously. If you have autocomplete turned on in many browsers, you just have to begin typing a letter or two in one of the fields before they all fill in with your name and address, possibly your credit card number, and more.

Grossman says attackers can simply create a page with hidden form fields that use JavaScript to enter letters and numbers into each field until it finds one that's a hit, and the browser autocompletes it. All users have to do is load the page, and they likely wouldn't even be aware of what's happening.

The autocomplete exploit works in the two most recent versions of Safari (4 and 5), as well as IE 6 and 7. Firefox and Chrome aren't susceptible to this particular attack, though they were vulnerable to another one involving the autocomplete.

Grossman says that the two browsers can expose stored usernames and passwords for saved sites, making it possible for a cross-site scripting vulnerability to grab the info when a user logs into a Google account or Facebook, for example. He said that he would never have talked about this publicly if Apple had taken this seriously, when he sent a follow-up query.
Last modified on Friday, 23 July 2010 09:58

Nick Farell

E-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
blog comments powered by Disqus

Comments  

 
-1 #1 Haberlandt 2010-07-23 19:22
Just turn autocomplete off.
 
 
-1 #2 pogsnet 2010-07-23 23:03
Don't browse the internet, surely you are safe.

It's like if you don't want to experience car accident then don't drive a car.

I was just kidding, the point is risks are part of life, if there is no risk life is boring. Just use updated browsers as a good advice.
 
 
+3 #3 Bl0bb3r 2010-07-23 23:05
I remember the file upload form was a problem with Firefox and was fixed.

However, the flaw is not working on password fields since they don't autocomplete nor on fields that have autocomplete turned off. This is more of a web development thing and should be known by all devs making credit card forms.
 
 
0 #4 blandead 2010-07-24 11:41
Quoting Bl0bb3r:
I remember the file upload form was a problem with Firefox and was fixed.

However, the flaw is not working on password fields since they don't autocomplete nor on fields that have autocomplete turned off. This is more of a web development thing and should be known by all devs making credit card forms.


that is most correct. there are options to have the fields not show in plain-text for sensitive data if you are to show it at all. plus with a good anti-virus or even the right add-on that javascript will never run in the first place.
 
 
-1 #5 God Of Atheism 2010-07-27 07:45
You mention ie 6 and 7 which are of course long obsolete, what about ie 8?
 
 
0 #6 Bl0bb3r 2010-08-01 11:11
Quoting God Of Atheism:
You mention ie 6 and 7 which are of course long obsolete, what about ie 8?




not-as-long-as-ie6 obsolete :D
 

To be able to post comments please log-in with Disqus

 

Facebook activity

Latest Commented Articles

Recent Comments