Security browsing this forum

Joined
Dec 8, 2003
Messages
1,412
Location
Southeast CO
I just read an article that may cause concern to anyone who is using IE7 or FF2. It basically states that someone could steal your username and password when you log in to forums or blogs. Just as a precaution, everyone using either of those browsers may want to stop letting it pre-fill your username and password when logging in here and to other forums and blogs, at least until this issue gets fixed. Here's the link to the article:

http://msn-cnet.com.com/Firefox,+IE...n+pages/2100-1002_3-6137844.html?tag=nefd.top


I am no computer/internet wiz, but I will be manually entering my login info for now. Maybe the wizzes can elaborate on this?

Bob
 
If I'm reading this correctly, it applies to fake login pages... That would require someone to upload a fake page to the Stormtrack server, which doesn't appear likely. It's like the emails that point you to www.ebayy.com or some other spoof site. Someone might, might, might be able to make some sort of invisible HTML form and put it into a post/thread, but I'm not sure FF or IE would autofill such an 'invisible' form (I'm not sure how to make it invisible other than to use a stylesheet/CSS to add the "visibility:hidden" attribute, or to make the form extremely small so as to make it almost invisible).
 
Last edited by a moderator:
Here's the info on how this works:

Thanks to the popularization of AJAX (Asynchronous Javascript And XML), which allows a page to contact the server WITHOUT refreshing the page. The phisher, as the people who want this information are called, has a form that has field names, such as "username" and "password", which autocomplete recognizes and fills in for you. Well, once the data is in the field it is immediately accessible by Javascript which reads the data in the field and then transmit it, using AJAX (or some form of), to the phishers server. From there, who knows where your info goes.

This can either be accomplished in one of three ways. Either the page itself can be uploaded to the server where the user would normally log in, or by using cross-site scripting (XSS), where a remote Javascript file is loaded into the page. With the XSS method, no other action is needed since the form is already there and all they have to do is transmit the data before you click the button to log in.

The third way, which is how MySpace was hit, was due to using a stylesheet that would cause the MySpace content to vanish and show a login screen. I've actually figured out how this is done, though I certainly did not leave my profile like that. The simple solution to this, is that if you are ever given a prompt to log back in, simply go to the root domain and log back in there. This method though is circumvented by the use of the AJAX request to send the data back if Autocomplete was turned on.

In reality, this isn't a bug in the browsers, and I'm curious to know how they combat this since it's not a bug, but simply a new use for existing functionality in Javascript.

The simplest and most secure way is to just turn off Autocomplete. Telling the server to remember you, or always stay logged in, is not going to be very secure since the Javascript would have access to the cookies that were created by the domain.
 
Thanks, guys! I use FF2 with NoScript, so it sounds as though I may be protected. If Java is the culprit that enables this to happen, then NoScript would block it, I'm guessing.
 
Back
Top