back to article IE and Safari lets attackers steal user names and addresses

The Internet Explorer, Firefox, Chrome, and Safari browsers are susceptible to attacks that allow webmasters to glean highly sensitive information about the people visiting their sites, including their full names, email addresses, location, and even stored passwords, a security researcher says. In a talk scheduled for next week …

COMMENTS

This topic is closed for new posts.
  1. Will Godfrey Silver badge
    Happy

    I feel I'm missing out

    My browser has autocomplete turned off, deletes all cookie, form and history data on exit, and doesn't store passwords.

    If I want to do any banking. I first close any open browser instance, start a new one, and close it again as soon as I've finished with my bank's site.

    1. TrinityX
      Pint

      Indeedy...

      Didn't realise you could turn auto-complete off (security issues aside, I find it rather annoying, since it also stores all the typos you sometimes make) - will definitely be investigating this option.

      But yeah, for banking I use Opera, open a fresh tab, refuse to store any passwords, and make sure all other tabs are closed when I go there. Deleting all private data after (and sometimes before if I can't remember when I last did it) is also a very useful option.

    2. Anton Ivanov
      Terminator

      You do

      Joe average web (l)user does not. This attack will work on 98%+ of the web population.

    3. Anonymous Coward
      Anonymous Coward

      Ahh,I see

      stops keyloggers that then does it???

      No, didnt think so, ergo FAIL.

      1. Daniel 1

        Maybe you can explain what part of this article has anything to do with key loggers?

        Were you compelled to make some sort of knee-jerk smart-arsed comment? (I'm particularly struck by semi-literate juxtaposition of "ergo" with the gamer-slang "fail"... Maybe this is an attempt to appear both street-wise and intellectual? I does not succeed.)

        OPs actions will remove the exploit highlighted in the article. If your machine has a key-logger in place, then auto-complete is not your immediate problem (it may have been, but it no longer is). Your comment is about as useful, as saying that a decent firewall won't protect against a madman, in your server room, armed with an axe. While perfectly true, it contributes absolutely nothing to the debate.

        The problem with the OP's approach (as I am sure the OP is perfectly well-aware) is that auto-complete exists to serve the 99% of people who would rather not take that approach in the first place, and for whom it thus acts as a vulnerability. To summarize, you can never put a "do all that security stuff for me" feature, into a piece of software, and hope that it will never act as a route to security vulnerabilities.

        1. Anonymous Coward
          Thumb Down

          Pot Kettle Scenario

          I does not succeed.

          Really, do you not!

          You sat there bestoling the virtues of clearing your cache as being the be all and end all of YOUR idea of computer security.

          Perhaps you should take the advice offered re keyloggers and re-examine your response,

          So, yes, i was compelled because you clearly need the help.

          1. Daniel 1

            No

            I sat there deriding the fact that you hadn't read the article, but still felt you could sound terribly wise, by wising-off against everyone else, you tiresome twat.

            You are correct... Key loggers are BAD.

            Explain what key logging has to do with this article?

    4. Doug Glass
      Go

      Damn Good Choices

      Too bad the rest of the world hasn't caught on to how best to be secure. But then, condom sales are down worldwide so go figure.

  2. Vigilante
    Stop

    Kinda misleading first paragraph...

    Safari and Internet explorer seem to be vulnerable to these attacks (getting user data from any site the user visits), but Firefox and Chrome are only susceptible to an attack like this if the (official, correct) site is compromised with a XSS vulnerability, which limits the scope greatly, and places more of the burden on the websites not being vulnerable to this kind of exploit in the first place, than on the browser a visitor is using.

    The other browsers (IE and Safari) leak this information to any site built to take advantage of this hole, meaning it's a far greater concern than the one affecting Firefox and Chrome.

    1. Anonymous Coward
      Anonymous Coward

      Yeah, it's misleading, but finish reading the article.

      Safari, Firefox, Chrome and old versions of IE gave out preentered information.

      Firefox and Chrome also gave out passwords. Though the passwords were only accessible on readily explotable websites.

      All four would wipe cookies after 2-3 seconds.

      Oddly IE8 seems to be the safest browser for this. If only because the rest of them look worse right now.

      1. Vigilante
        Megaphone

        Exactly.

        You have emphasised my point exactly. Chrome and Firefox would only be able to leak a password if you visited the ACTUAL page where those passwords were supposed to be used - allowing a single password to be leaked ONLY if the site had been compromised in advance. Considering that "important" passwords are often for extremely high profile sites - Google services, banks and building societies, Social networking sites etc, the scope of the vulnerability is much reduced (these companies have the most to lose through a security breach, so it is logical to think that they put more emphasis on building secure websites that would not vulnerable to this type of attack).

        For IE and Safari, all you have to do is visit ANY page under the control of a malicious organisation. For Chrome and Firefox, one has to visit the correct page the passwords/data would be used on, but the page would have had to have been previously compromised to enable it to leak information. A significant difference in difficulty between the two.

  3. Anonymous Coward
    FAIL

    and Opera unaffected as usual...

    Wonder how many more times people need to see their browsers falling apart around them before they choose one built from the ground up to adhere to web standards and thus better security...

    Interestingly, this cropped up the other day, ebay basic picture uploader relies on a security exploit in most browsers except Opera to work correctly....

    http://my.opera.com/hallvors/blog/2010/07/13/ebay-versus-security-policy-consistency

    1. Anonymous Coward
      Anonymous Coward

      Two points

      1. The researcher was, like most, too lazy to test Opera. It probably has some of the same issues if autocomplete can be activated by a JavaScript modification of a text box.

      2. Standards are not security. IANA expert on these standards here, but I highly doubt there's one that says that the browser's autocomplete functions shouldn't operate on programmatically entered data. There have been numerous instances where the standards used for one system or another have been shown to have gaping holes in them. (DNS and WEP come to mind.) A standard is just a bunch of requirements that a committee manages to agree upon.

    2. Cameron Colley

      RE: and Opera unaffected as usual...

      But, in my experience at least, Opera is a bugger to use. I still can't find the cookie whitelist feature (if it has it) and blocking scripts and images seems needlessly complex.

      Perhaps I've just got too used to Firefox, but whenever I've tried to give Opera a go I've ended up returning to Firefox.

    3. heyrick Silver badge

      Opera unaffected?

      When Opera can provide a proper NoScript-like functionality that also blocks Flash and PDF unless requested (so don't be glib and say "turn off Javascript"), I will consider Opera.

      I have Opera, I test my local pages in it (having more or less stopped bothering with IE8), and when I run Opera on the real internet, I get animated adverts embedded in pages - like El Reg. From where? Not the host site. From anywhere, and any one of them could be carrying a payload.

      Opera may be a lovely secure browser, but the stuff it lets in is a security fail. You can argue how bad add-ons are, you can argue the sun and moon and stars too, but until Opera has a means to block and allow (without all sorts of headaches) the stuff I want blocked/permitted, I will give it no consideration as a serious browser.

  4. Dan 55 Silver badge
    Thumb Down

    If a website is malicious... (2nd exploit)

    Then no choice of browser or options or disabling the password manager will help. So of course the four major browsers are going to be vulnerable, as are the rest and Telnet to port 80.

    That part of the article sounds like a story for the Daily Mail.

  5. Sceptical Bastard

    Moral of the story

    Why is the "myth that web surfing is largely an anonymous act" still so "widely held" when, for the last decade or so, it has been so evidently false?

    This articles illustrates a fact of online life: all web browsers have flaws, all flaws can be exploited. It also highlights the age-old issue of 'security versus utility' - for example, autocomplete might be convenient occasionally but storing unencrypted indentifying data self-evidently compromises security (even it's just YouPorn popping up as the missus starts to type in YouGov).

    The moral is that *all* browsers are vulnerable to exploits if used with default settings so users should set them up to reduce exposure - turn off autocomplete, never store any unencrypted information, delete session data (including cache and cookies) on exit, never checkmark "remember me on this computer" features, don't bookmark any site you don't want the world to know you visit, and install reputable security add-ons such as NoScript for Firefox.

    However, those precautions will only reduce, not eradicate, exposure - so don't be lulled into a false sense of security just because you've zapped a few cookies.

    Anonymous online? Yeah. Right.

  6. TrinityX
    Happy

    At last!

    A Reg icon for posting to Facebook. Yay!

  7. Robert Carnegie Silver badge

    If I load a malicious web site,

    then as soon as I realise, I close it again. In the absence of browser vulnerabilities, I will be safe, although obviously that's optimistic.

    And if for instance I find myself at a fake version of a reputable web site, a modern browser is likely to notice, for instance colouring the address bar green for safe and red for unsafe.

    This evidently is a story about this type of security breaking down due to unsatisfactory browser implementation.

    1. mangobrain
      Boffin

      I hope you aren't serious...

      Did you RTFA? JavaScript is being used to simulate keypresses, which triggers autocomplete. JavaScript can just as easily be used to submit the (hidden) form into which the input was (non-interactively) entered, making the whole exploit very quick, and require no user interaction beyond visiting the page containing the code. Closing the browser quickly won't help, as it's entirely possible the exploit has finished running before the last image on the page is rendered. Anti-phishing protection in browsers will similarly not help unless it works by stopping you before loading any content - colouring the browser bar differently means nothing if it's already run the script.

      The "type of security" of which you speak is actually no security at all in this case, and undoubtedly many others.

      1. Sceptical Bastard

        Read The F**king Article

        RTFA - mmm, nice one!

  8. Anonymous Coward
    WTF?

    Sure about this?

    Safari helpfully gives me a list of sites that it will use auto-complete for.

    If your sites not on the list, Safari won't help with auto-complete, no matter how hard I try.

    ... so how has this guy managed to make it do that?

    1. CD001

      XSS

      XSS vulnerability on the original site perhaps?

  9. mhenriday

    With regard to the XSS Firefox vulnerability,

    to the degree that I understand the matter aright, Giorgio Maione's NoScript should block it. Running a browser on a Windows OS without NoScript is simply asking for trouble. Personally, I'd love to see such an extension for Chrome !...

    Henri

    1. Anonymous Coward
      FAIL

      Or just use Opera

      which of course has included this for years, no plugin needed.

  10. Anonymous Coward
    Anonymous Coward

    Your a bit of a tw*t for using autocomplete anyways.....

    ....lazy git.

    1. CD001

      Yeah

      Lazy like not learning the difference between "your" and "you're" you mean?

  11. jubtastic1
    Black Helicopters

    Exactly the reason I've always turned Autocomplete off

    When setting up computers, never bothered researching whether it was possible, just seemed like it would be an obvious/easy to exploit. Good to know I wasn't just being paranoid.

  12. Harry

    How about a compromise

    How about an autocomplete that only works when the site to which the information will be disclosed is the SAME site that the information was originally submitted to?

  13. Jonathan White
    Big Brother

    Um...

    I've never seen autocomplete on Safari (mac or PC) or IE autocomplete a credit card number. Names, yes. Addresses, usually. Phone numbers often and usually the wrong one too but CC details? No.

    Plus, isn't just the number not enough? You also need the expiry data and the security number (the one on the back) before you could use the thing fraudulently. And getting all of that by autocomplete, consistently for the same card rather than say the number on one card and the expiry date of another?

    All seems a little bit less immediately bad than he seems to be suggesting to me. Still, security researcher exaggerating an issue just in front of a major news coverage period Sorry conference, that's never going to happen is it?

    1. Tom 13
      Flame

      Jonathan you clueless twit

      IF you assume the credit card details have been entered into autocomplete, it logically follows that the expiration date and ccv will also be stored. As you noted you need all three to complete an online transaction. The only reason to enter the card number is because you are completing an online transaction, so the other two will be entered at the same time.

      Granted the fool who stores a cc number in autocomplete is a bigger twit than you are, but that doesn't excuse you.

    2. Alan W. Rateliff, II
      Paris Hilton

      Element 5, others

      Our old ISP management software allowed credit card numbers to be saved in the autocomplete. That was 10 years ago and they received quite a tongue-lashing for not including a simple tag to defeat this feature (although, I believe there is a defeat-defeating option available now. hrmmmm)

      Anyway, Element 5's website allows information like that to be saved in autocomplete. IE does it, Firefox does it. Safari and Opera may, but I do not use either of those for general purposes.

      Paris does it, too.

      1. Anonymous Coward
        Pirate

        Even the big boys

        I know of a FTSE 100 company that stores credit card numbers and CCVs in autocomplete... reported the bug to them 4 years ago when I used to work there and they've still not fixed it.

  14. Nigel 11
    Happy

    A public service

    > Grossman's Black Hat presentation will also demonstrate how a webmaster can silently delete all of a user's browser cookies. The mass cookie deleter works by setting thousands of cookies as soon as a user visits the site.

    Some of us might consider that to be a public service for the common good!

  15. Eddie Johnson
    Grenade

    Sites Like El Reg

    Sites such as El Reg make this worse by using an authenticated email as the login. If I could login using my made up lusername the leaked data would be of much lower value. Yes, I'm lazy for using autocomplete but you are also lazy for using the email addy for login purposes.

    I pretty much always use fake info when possible, a zip code that only matches the first 3 digits if I'm after weather for example, phone numbers with the correct area code but nothing else.

    1. AndrueC Silver badge
      Boffin

      Disposable email addresses

      I use a wild-card based system so that I can hand disposable (or more accurately, trackable) addresses to everyone. Any time I get spam I blacklist the offending inbound address and (if I can be arsed) have a rant at the git that leaked it.

      As a result I get at most half a dozen spams in my inbox a year(*) and I only get them once.

      (*)My mail server sees a lot more but it just ignores the bad ones.

  16. justkyle
    Troll

    Text Mode Browsing

    FTW!

    install a text mode only browser. You'll never regret it.

    1. Probe
      Thumb Down

      Teaxt mode?

      Can you get text mode images?

  17. Anonymous Coward
    Anonymous Coward

    What's the big deal?

    People that don't *have* names, addresses and credit card details have nothing to fear.

  18. Stevie

    Bah!

    *Another* JavaScript-enabled exploit? Is there no end to them?

    Well yes there is.

    Ban useless JavaScript now. You don't need it to buy anything over the www, upload an illegal video to yootoob, yak about nothing interesting to the thin air of the blogosphere or to view pron.

    Which is to say you don't need JavaScript to do anything webby at all other than allow Russians to steal your credit card. Turn it off. Ban it from your websites and provide content that sells itself without Teh Shiny cluttering up the browser with superfluous and dangerous cruft.

    You know it makes sense.

    1. Hayden Clark Silver badge
      Unhappy

      Apparently <a ..> </a> no longer works

      Which is why so many sites define an onclick() handler to implement links! Graargh!

  19. heyrick Silver badge

    ...and then adding javascript that simulates...

    Ah, so it's NoScript to the rescue... again. :-)

  20. Doug Glass
    Go

    How to Frakk Up Really Well

    Store a password anywhere besides in your own brain.

    He who trusts anybody other than himself to provide security for his data has already been screwed. And don't step on any cracks either while you're at it.

  21. Antony Riley
    Boffin

    Explanation.

    Safari & Old versions of IE:

    Visit any website and it could steal any information you've ever entered into a form which auto complete has remembered.

    Firefox & Chrome:

    Visit a website with severe security issues (such that people can steal your cookie and pose as you), and it might delete all your cookies for the site (typically results in being forced to log you out) or steal your login information by presenting a bogus login form which your browser will then dutifully fill out.

    Basically if the website is vulnerable to XSS, these are probably not at the top of the list of your worries. To put it in context, if I reported these vulnerabilities to firefox or chrome I'd not expect to receive a bug bounty because it's akin to closing the stable doors after the horses have bolted.

    The reporter is perfectly correct to only list Safari & IE as vulnerable in the byline, in fact it shows a level of understanding I'd not expect from most reporters.

    1. Eddie Johnson
      Alert

      Not Quite...

      I believe the article states that cookie deletions will be global because a cookie flood forces the browser into panic deletions to free space.

      Of course since I always run Firefox in "ask me every time" mode for how long to keep cookies I get prompted at least once for each site. After the first few cookies I choose not to accept them if the site is working fine without them or to accept them for a longer period if its a site I would actually return to.

      I'm also sitting behind a cookie blocking proxy so I normally only see cookies if I've enabled Javascript for the site and they are set programmatically.

  22. Kevin Raffay
    Alert

    You are never truly safe online

    Internet safety and privacy is a myth, and tho only thing one can do is be vigilant. IMHO, HTTP is an inherently unsafe protocol, due to the fact that it streams clear text across the pipe. One must always be cautious, and a decent anti-virus suite, even a free one like AVG, will help. Just assume someone is hacking your passwords, and prepare for the worst.

This topic is closed for new posts.

Other stories you might like