The Internet Explorer, Firefox, Chrome, and Safari browsers are susceptible to attacks that allow webmasters to glean highly sensitive information about the people visiting their sites, including their full names, email addresses, location, and even stored passwords, a security researcher says. In a talk scheduled for next week …
I feel I'm missing out
My browser has autocomplete turned off, deletes all cookie, form and history data on exit, and doesn't store passwords.
If I want to do any banking. I first close any open browser instance, start a new one, and close it again as soon as I've finished with my bank's site.
Didn't realise you could turn auto-complete off (security issues aside, I find it rather annoying, since it also stores all the typos you sometimes make) - will definitely be investigating this option.
But yeah, for banking I use Opera, open a fresh tab, refuse to store any passwords, and make sure all other tabs are closed when I go there. Deleting all private data after (and sometimes before if I can't remember when I last did it) is also a very useful option.
Joe average web (l)user does not. This attack will work on 98%+ of the web population.
stops keyloggers that then does it???
No, didnt think so, ergo FAIL.
Maybe you can explain what part of this article has anything to do with key loggers?
Were you compelled to make some sort of knee-jerk smart-arsed comment? (I'm particularly struck by semi-literate juxtaposition of "ergo" with the gamer-slang "fail"... Maybe this is an attempt to appear both street-wise and intellectual? I does not succeed.)
OPs actions will remove the exploit highlighted in the article. If your machine has a key-logger in place, then auto-complete is not your immediate problem (it may have been, but it no longer is). Your comment is about as useful, as saying that a decent firewall won't protect against a madman, in your server room, armed with an axe. While perfectly true, it contributes absolutely nothing to the debate.
The problem with the OP's approach (as I am sure the OP is perfectly well-aware) is that auto-complete exists to serve the 99% of people who would rather not take that approach in the first place, and for whom it thus acts as a vulnerability. To summarize, you can never put a "do all that security stuff for me" feature, into a piece of software, and hope that it will never act as a route to security vulnerabilities.
Damn Good Choices
Too bad the rest of the world hasn't caught on to how best to be secure. But then, condom sales are down worldwide so go figure.
Pot Kettle Scenario
I does not succeed.
Really, do you not!
You sat there bestoling the virtues of clearing your cache as being the be all and end all of YOUR idea of computer security.
Perhaps you should take the advice offered re keyloggers and re-examine your response,
So, yes, i was compelled because you clearly need the help.
I sat there deriding the fact that you hadn't read the article, but still felt you could sound terribly wise, by wising-off against everyone else, you tiresome twat.
You are correct... Key loggers are BAD.
Explain what key logging has to do with this article?
Kinda misleading first paragraph...
Safari and Internet explorer seem to be vulnerable to these attacks (getting user data from any site the user visits), but Firefox and Chrome are only susceptible to an attack like this if the (official, correct) site is compromised with a XSS vulnerability, which limits the scope greatly, and places more of the burden on the websites not being vulnerable to this kind of exploit in the first place, than on the browser a visitor is using.
The other browsers (IE and Safari) leak this information to any site built to take advantage of this hole, meaning it's a far greater concern than the one affecting Firefox and Chrome.
Yeah, it's misleading, but finish reading the article.
Safari, Firefox, Chrome and old versions of IE gave out preentered information.
Firefox and Chrome also gave out passwords. Though the passwords were only accessible on readily explotable websites.
All four would wipe cookies after 2-3 seconds.
Oddly IE8 seems to be the safest browser for this. If only because the rest of them look worse right now.
You have emphasised my point exactly. Chrome and Firefox would only be able to leak a password if you visited the ACTUAL page where those passwords were supposed to be used - allowing a single password to be leaked ONLY if the site had been compromised in advance. Considering that "important" passwords are often for extremely high profile sites - Google services, banks and building societies, Social networking sites etc, the scope of the vulnerability is much reduced (these companies have the most to lose through a security breach, so it is logical to think that they put more emphasis on building secure websites that would not vulnerable to this type of attack).
For IE and Safari, all you have to do is visit ANY page under the control of a malicious organisation. For Chrome and Firefox, one has to visit the correct page the passwords/data would be used on, but the page would have had to have been previously compromised to enable it to leak information. A significant difference in difficulty between the two.
and Opera unaffected as usual...
Wonder how many more times people need to see their browsers falling apart around them before they choose one built from the ground up to adhere to web standards and thus better security...
Interestingly, this cropped up the other day, ebay basic picture uploader relies on a security exploit in most browsers except Opera to work correctly....
2. Standards are not security. IANA expert on these standards here, but I highly doubt there's one that says that the browser's autocomplete functions shouldn't operate on programmatically entered data. There have been numerous instances where the standards used for one system or another have been shown to have gaping holes in them. (DNS and WEP come to mind.) A standard is just a bunch of requirements that a committee manages to agree upon.
RE: and Opera unaffected as usual...
But, in my experience at least, Opera is a bugger to use. I still can't find the cookie whitelist feature (if it has it) and blocking scripts and images seems needlessly complex.
Perhaps I've just got too used to Firefox, but whenever I've tried to give Opera a go I've ended up returning to Firefox.
I have Opera, I test my local pages in it (having more or less stopped bothering with IE8), and when I run Opera on the real internet, I get animated adverts embedded in pages - like El Reg. From where? Not the host site. From anywhere, and any one of them could be carrying a payload.
Opera may be a lovely secure browser, but the stuff it lets in is a security fail. You can argue how bad add-ons are, you can argue the sun and moon and stars too, but until Opera has a means to block and allow (without all sorts of headaches) the stuff I want blocked/permitted, I will give it no consideration as a serious browser.
Moral of the story
Why is the "myth that web surfing is largely an anonymous act" still so "widely held" when, for the last decade or so, it has been so evidently false?
This articles illustrates a fact of online life: all web browsers have flaws, all flaws can be exploited. It also highlights the age-old issue of 'security versus utility' - for example, autocomplete might be convenient occasionally but storing unencrypted indentifying data self-evidently compromises security (even it's just YouPorn popping up as the missus starts to type in YouGov).
The moral is that *all* browsers are vulnerable to exploits if used with default settings so users should set them up to reduce exposure - turn off autocomplete, never store any unencrypted information, delete session data (including cache and cookies) on exit, never checkmark "remember me on this computer" features, don't bookmark any site you don't want the world to know you visit, and install reputable security add-ons such as NoScript for Firefox.
However, those precautions will only reduce, not eradicate, exposure - so don't be lulled into a false sense of security just because you've zapped a few cookies.
Anonymous online? Yeah. Right.
If a website is malicious... (2nd exploit)
Then no choice of browser or options or disabling the password manager will help. So of course the four major browsers are going to be vulnerable, as are the rest and Telnet to port 80.
That part of the article sounds like a story for the Daily Mail.
A Reg icon for posting to Facebook. Yay!
If I load a malicious web site,
then as soon as I realise, I close it again. In the absence of browser vulnerabilities, I will be safe, although obviously that's optimistic.
And if for instance I find myself at a fake version of a reputable web site, a modern browser is likely to notice, for instance colouring the address bar green for safe and red for unsafe.
This evidently is a story about this type of security breaking down due to unsatisfactory browser implementation.
I hope you aren't serious...
The "type of security" of which you speak is actually no security at all in this case, and undoubtedly many others.
Read The F**king Article
RTFA - mmm, nice one!
Sure about this?
Safari helpfully gives me a list of sites that it will use auto-complete for.
If your sites not on the list, Safari won't help with auto-complete, no matter how hard I try.
... so how has this guy managed to make it do that?
XSS vulnerability on the original site perhaps?
With regard to the XSS Firefox vulnerability,
to the degree that I understand the matter aright, Giorgio Maione's NoScript should block it. Running a browser on a Windows OS without NoScript is simply asking for trouble. Personally, I'd love to see such an extension for Chrome !...
Or just use Opera
which of course has included this for years, no plugin needed.
Your a bit of a tw*t for using autocomplete anyways.....
Lazy like not learning the difference between "your" and "you're" you mean?
Exactly the reason I've always turned Autocomplete off
When setting up computers, never bothered researching whether it was possible, just seemed like it would be an obvious/easy to exploit. Good to know I wasn't just being paranoid.
How about a compromise
How about an autocomplete that only works when the site to which the information will be disclosed is the SAME site that the information was originally submitted to?
I've never seen autocomplete on Safari (mac or PC) or IE autocomplete a credit card number. Names, yes. Addresses, usually. Phone numbers often and usually the wrong one too but CC details? No.
Plus, isn't just the number not enough? You also need the expiry data and the security number (the one on the back) before you could use the thing fraudulently. And getting all of that by autocomplete, consistently for the same card rather than say the number on one card and the expiry date of another?
All seems a little bit less immediately bad than he seems to be suggesting to me. Still, security researcher exaggerating an issue just in front of a major news coverage period Sorry conference, that's never going to happen is it?
Jonathan you clueless twit
IF you assume the credit card details have been entered into autocomplete, it logically follows that the expiration date and ccv will also be stored. As you noted you need all three to complete an online transaction. The only reason to enter the card number is because you are completing an online transaction, so the other two will be entered at the same time.
Granted the fool who stores a cc number in autocomplete is a bigger twit than you are, but that doesn't excuse you.
Element 5, others
Our old ISP management software allowed credit card numbers to be saved in the autocomplete. That was 10 years ago and they received quite a tongue-lashing for not including a simple tag to defeat this feature (although, I believe there is a defeat-defeating option available now. hrmmmm)
Anyway, Element 5's website allows information like that to be saved in autocomplete. IE does it, Firefox does it. Safari and Opera may, but I do not use either of those for general purposes.
Paris does it, too.
Even the big boys
I know of a FTSE 100 company that stores credit card numbers and CCVs in autocomplete... reported the bug to them 4 years ago when I used to work there and they've still not fixed it.
A public service
> Grossman's Black Hat presentation will also demonstrate how a webmaster can silently delete all of a user's browser cookies. The mass cookie deleter works by setting thousands of cookies as soon as a user visits the site.
Some of us might consider that to be a public service for the common good!
Sites Like El Reg
Sites such as El Reg make this worse by using an authenticated email as the login. If I could login using my made up lusername the leaked data would be of much lower value. Yes, I'm lazy for using autocomplete but you are also lazy for using the email addy for login purposes.
I pretty much always use fake info when possible, a zip code that only matches the first 3 digits if I'm after weather for example, phone numbers with the correct area code but nothing else.
Disposable email addresses
I use a wild-card based system so that I can hand disposable (or more accurately, trackable) addresses to everyone. Any time I get spam I blacklist the offending inbound address and (if I can be arsed) have a rant at the git that leaked it.
As a result I get at most half a dozen spams in my inbox a year(*) and I only get them once.
(*)My mail server sees a lot more but it just ignores the bad ones.
Text Mode Browsing
install a text mode only browser. You'll never regret it.
Can you get text mode images?
What's the big deal?
People that don't *have* names, addresses and credit card details have nothing to fear.
Well yes there is.
You know it makes sense.
Apparently <a ..> </a> no longer works
Which is why so many sites define an onclick() handler to implement links! Graargh!
Ah, so it's NoScript to the rescue... again. :-)
How to Frakk Up Really Well
Store a password anywhere besides in your own brain.
He who trusts anybody other than himself to provide security for his data has already been screwed. And don't step on any cracks either while you're at it.
Safari & Old versions of IE:
Visit any website and it could steal any information you've ever entered into a form which auto complete has remembered.
Firefox & Chrome:
Visit a website with severe security issues (such that people can steal your cookie and pose as you), and it might delete all your cookies for the site (typically results in being forced to log you out) or steal your login information by presenting a bogus login form which your browser will then dutifully fill out.
Basically if the website is vulnerable to XSS, these are probably not at the top of the list of your worries. To put it in context, if I reported these vulnerabilities to firefox or chrome I'd not expect to receive a bug bounty because it's akin to closing the stable doors after the horses have bolted.
The reporter is perfectly correct to only list Safari & IE as vulnerable in the byline, in fact it shows a level of understanding I'd not expect from most reporters.
I believe the article states that cookie deletions will be global because a cookie flood forces the browser into panic deletions to free space.
Of course since I always run Firefox in "ask me every time" mode for how long to keep cookies I get prompted at least once for each site. After the first few cookies I choose not to accept them if the site is working fine without them or to accept them for a longer period if its a site I would actually return to.
You are never truly safe online
Internet safety and privacy is a myth, and tho only thing one can do is be vigilant. IMHO, HTTP is an inherently unsafe protocol, due to the fact that it streams clear text across the pipe. One must always be cautious, and a decent anti-virus suite, even a free one like AVG, will help. Just assume someone is hacking your passwords, and prepare for the worst.
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
- FOUR DAYS: That's how long it took to crack Galaxy S5 fingerscanner
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Did a date calculation bug just cost hard-up Co-op Bank £110m?