davidh
July 22nd, 2010, 02:03 PM
IE and Safari lets attackers steal user names and addresses
Ripe for the picking, researcher says
By Dan Goodin in San Francisco
Posted in Security, 20th July 2010 21:15 GMT
http://www.theregister.co.uk/2010/07/20/browser_info_disclosure_weaknesses/
The Internet Explorer, Firefox, Chrome, and Safari browsers are susceptible to attacks that allow webmasters to glean highly sensitive information about the people visiting their sites, including their full names, email addresses, location, and even stored passwords, a security researcher says.
... ...
Users who in the past have used the autocomplete features to store that information in versions 6 and 7 of IE or versions 4 and 5 of Safari will find that the information will be automatically zapped to the rogue website. No interaction is necessary other than to visit the page. Webmasters can set the input fields to be invisible to better conceal the attack.
In the case of Safari, Grossman's proof-of-concept attack simulates a user entering various letters or numbers into the fields. In a demonstration, when the script entered the letter J under a field titled “Name,” the browser automatically exposed “Jeremiah Grossman” to the web server. Grossman said he alerted Apple to the vulnerability on June 17, but received no reply other than an automatic response saying his message had been received.
... ...
Tricking IE 6 and 7 into coughing up the autocomplete details works in a similar fashion, but instead of simulating the entering of numbers or letters into a field, Grossman enters a user's down arrow twice and then the enter key to extract the stored information. If more than one record is stored in that field, the script will repeat the process so they can be lifted as well.
... ...
Grossman's research take those findings to new highs. In addition to the weaknesses in IE and Safari, he has uncovered flaws in Mozilla Firefox and Google Chrome that can expose passwords stored by the browsers. The feature is designed to automatically enter the user name and password when a user visits a site such as Gmail or Facebook. The researcher says it's possible for unscrupulous webmasters to steal that information by hiding malicious code on their pages. For the attack to work, an XSS, or cross-site scripting vulnerability must be present on the site on which the stored password is used.
... ...
FWIW, Firefox Noscript will probably not protect against this. It will detect the XSS but by the time it alerts you it maybe too late?
I personally only save logins for sites that I don't care much if I were to be compromised. Never for regular email or banking. I set Firefox to delete all cookies on exit.
Ripe for the picking, researcher says
By Dan Goodin in San Francisco
Posted in Security, 20th July 2010 21:15 GMT
http://www.theregister.co.uk/2010/07/20/browser_info_disclosure_weaknesses/
The Internet Explorer, Firefox, Chrome, and Safari browsers are susceptible to attacks that allow webmasters to glean highly sensitive information about the people visiting their sites, including their full names, email addresses, location, and even stored passwords, a security researcher says.
... ...
Users who in the past have used the autocomplete features to store that information in versions 6 and 7 of IE or versions 4 and 5 of Safari will find that the information will be automatically zapped to the rogue website. No interaction is necessary other than to visit the page. Webmasters can set the input fields to be invisible to better conceal the attack.
In the case of Safari, Grossman's proof-of-concept attack simulates a user entering various letters or numbers into the fields. In a demonstration, when the script entered the letter J under a field titled “Name,” the browser automatically exposed “Jeremiah Grossman” to the web server. Grossman said he alerted Apple to the vulnerability on June 17, but received no reply other than an automatic response saying his message had been received.
... ...
Tricking IE 6 and 7 into coughing up the autocomplete details works in a similar fashion, but instead of simulating the entering of numbers or letters into a field, Grossman enters a user's down arrow twice and then the enter key to extract the stored information. If more than one record is stored in that field, the script will repeat the process so they can be lifted as well.
... ...
Grossman's research take those findings to new highs. In addition to the weaknesses in IE and Safari, he has uncovered flaws in Mozilla Firefox and Google Chrome that can expose passwords stored by the browsers. The feature is designed to automatically enter the user name and password when a user visits a site such as Gmail or Facebook. The researcher says it's possible for unscrupulous webmasters to steal that information by hiding malicious code on their pages. For the attack to work, an XSS, or cross-site scripting vulnerability must be present on the site on which the stored password is used.
... ...
FWIW, Firefox Noscript will probably not protect against this. It will detect the XSS but by the time it alerts you it maybe too late?
I personally only save logins for sites that I don't care much if I were to be compromised. Never for regular email or banking. I set Firefox to delete all cookies on exit.