Autocomplete Feature Leaves Browsers Vulnerable

Mozilla and Internet Explorer are especially susceptible to an attack

By Eduard Kovacs on October 25th, 2011 06:44 GMT

Since it's possible to get key up and key down events through JavaScript when a drop-down autocomplete menu is displayed, an ill-intended cybervillain can steal arbitrary values from a browser's autocomplete feature.

Researchers from Minded Security Labs believe that most of the browsers are susceptible to the attack and they even published a small web application that acts as a proof of concept, showing that all the versions of Firefox are completely exposed.

Internet Explorer is just as weak but Google Chrome seems to be just a bit more protected as it doesn't send these events to JavaScript when the autocomplete dropdown menu is focused. This doesn’t make it completely foolproof, but at least a potential attack is not as easy to perform as in Firefox or IE.

The proof of concept, unfortunately, is easy to integrate in any web game placed into a simple HTML page. By making a game in which the user has to press the up and down arrows on his keyboard, what seems to be a simple online app, turns out to be a highly effective data stealer.

It can practically steal any information you ever typed inside a browser, including account names, search words and a lot more.

In order to fix this issue, vendors should “tie the information a site asks via autocomplete inputs to the site itself.” Since so far they don't check the origin of the input tag, the web application remains vulnerable to a malicious script.

Until vendors take a stand, internauts are recommended to disable the autocomplete feature on forms from the browser's setting window.

Hopefully, now that the issue is again out in the open, Mozilla, Microsoft and all the others who feel their products are vulnerable to such an attack will take the necessary steps in fixing the problem. In the meantime, make sure not to play any suspicious games that urge you to press the up and down keys.
The autocomplete feature in most browsers leaves them vulnerable
   The autocomplete feature in most browsers leaves them vulnerable
MORE ON THIS TOPIC
LATEST NEWS
HOT RIGHT NOW

Comments