Autocomplete Leaves Browsers Vulnerable

Wednesday, October 26, 2011 @ 09:10 PM gHale

Since it’s possible to get key up and key down events through JavaScript when a drop-down autocomplete menu is on display, an attacker could steal arbitrary values from a browser’s autocomplete feature.

Most of the browsers are susceptible to the attack and there is even a small web application that acts as a proof of concept, showing that all the versions of Firefox can suffer from exposure, said researchers from Minded Security Labs.

ICS Threat Brewing; Target Unclear
Old Becomes New: DLL Loading is Back
Weak Sites Victimize Visitors
Beware of Printers Spreading Malware

Internet Explorer also has issues, but Google Chrome has more protection as it does not send these events to JavaScript when the autocomplete dropdown menu is running, the researchers said. This doesn’t make it completely foolproof, but at least a potential attack is not as easy to perform as in Firefox or IE.

The proof of concept is easy to integrate in any web game placed into a simple HTML page. By making a game in which the user has to press the up and down arrows on his keyboard, what seems to be a simple online app, turns out to be a highly effective data stealer, the researchers said.

It can practically steal any information you ever typed inside a browser, including account names, search words and a lot more.

In order to fix this issue, vendors should tie the information a site asks via autocomplete inputs to the site itself, the researchers said. Since so far they don’t check the origin of the input tag, the web application remains vulnerable to a malicious script.

Leave a Reply

You must be logged in to post a comment.