|
Posted by on March 2, 2008, 1:33 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi,
I recently learned of the "exploit" where you can run a javascript
command to view saved passwords that are hidden. This code:
javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms;
for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if
(f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if
(s) alert("Passwords in forms on this page:\n\n" + s); else
alert("There are no passwords in forms on this page.");})();
I was wondering if there was any way to protect against this?
Please refrain from stating the obvious, "don't save your passwords".
There are a couple of sites I use frequently and don't care about
security too much, but don't want my passwords to disappear.
Thanks,
Matthew
|
|
Posted by Bit Twister on March 2, 2008, 2:12 am
If you were Registered and logged in, you could reply and use other advanced thread options
On Sat, 1 Mar 2008 22:33:23 -0800 (PST), matthewslaney@gmail.com wrote:
> Hi,
>
> I recently learned of the "exploit" where you can run a javascript
> command to view saved passwords that are hidden.
>
>
> I was wondering if there was any way to protect against this?
Disable java* in Firefox. :-D
You might want to consider installing the NoScript Add On to Firefox.
http://noscript.net as a first step. Then under NoScript's Options-->Advanced
set all boxes checked for Untrusted.
> Please refrain from stating the obvious, "don't save your passwords".
> There are a couple of sites I use frequently and don't care about
> security too much, but don't want my passwords to disappear.
Not much hope there.
“In mid-year 2007, studies showed there were nearly 30,000 new
infected web pages being created every day."
http://finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3
Black hats have cracked ad servers so no site can be considered trusted
if web page has ads from an ad server or tracking links.
Solution there, install privoxy from http://www.privoxy.org/ and add a bunch
of sites to block ads for starters.
For linux users,
http://groups.google.com/group/alt.os.linux.mandriva/msg/a76245f3f5fab041
has install instructions for Mandriva linux and a copy of my user.action
file with lots of sites blocked. Windows users could get the blocked
sites in my user.actions from the above link.
You also should consider some rules like,
You never enter a site requiring a password after surfing the net.
You close the browser, then open it,
then go to the site needing a login.
When done, exit browser.
That should help with cross-scripting, man in the middle exploits.
I have separate linux accounts for each site requiring a id/pw and one
just for surfing. I run 8 desktop windows.
I click a shortcut on the desktop, get switched to a different window
and 3 seconds later a new firefox is running with a page to click the link.
On login, firefox is executed with "firefox index.html".
index.html has the links I need for the site.
That way I just click where I want to go. No possibility of mis-typing
or poisoned cache/bookmarks file.
Upon exit, ~/.bash_logout deletes everything and tars in a pristine setup.
Sorry that does not help you since you are running on Windows OS.
I still do not have passwords saved in the browser.
|
|
Posted by Gerald Vogt on March 2, 2008, 3:35 am
If you were Registered and logged in, you could reply and use other advanced thread options
> I recently learned of the "exploit" where you can run a javascript
> command to view saved passwords that are hidden. This code:
There is nothing you can do against that. Either the password is
already in the page, i.e. visible in the source code of the page, or
you have entered it. The former should not happen as it is not
necessary to transmit the password back the browser. A simple dummy
password would be enough to indicate whether it has been changed or
not.
Gerald
|
|
Posted by Sebastian G. on March 2, 2008, 6:15 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Please refrain from stating the obvious, "don't save your passwords".
> There are a couple of sites I use frequently and don't care about
> security too much, but don't want my passwords to disappear.
The why don't you use cookies for authentication?
|
|
Posted by Barry Margolin on March 2, 2008, 10:16 am
If you were Registered and logged in, you could reply and use other advanced thread options
matthewslaney@gmail.com wrote:
> Hi,
>
> I recently learned of the "exploit" where you can run a javascript
> command to view saved passwords that are hidden. This code:
>
> javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms;
> for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if
> (f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if
> (s) alert("Passwords in forms on this page:\n\n" + s); else
> alert("There are no passwords in forms on this page.");})();
>
> I was wondering if there was any way to protect against this?
>
> Please refrain from stating the obvious, "don't save your passwords".
> There are a couple of sites I use frequently and don't care about
> security too much, but don't want my passwords to disappear.
I'm not sure what the threat is. Obviously a script on a web page has
access to all the form data you've entered into it, including passwords.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
|
| Similar Threads | Posted | | CD copy protection | November 15, 2005, 2:10 pm |
| Copyright protection... HOW??? | May 21, 2006, 3:44 am |
| Re: Best Protection for HomePC | February 18, 2008, 3:02 am |
| Serious level HDD data protection | May 11, 2004, 2:40 am |
| Flood and Bandwith Protection | March 14, 2005, 11:59 am |
| New concept in software protection | October 7, 2005, 1:43 am |
| REVIEW: "Always Use Protection", Dan Appleman | December 14, 2005, 1:58 pm |
| software protection techniques | February 11, 2006, 6:14 am |
| Software copy protection | March 1, 2006, 5:00 am |
| Antivirus and Firewall Protection | May 20, 2006, 9:57 am |
|
XML site map