14 DAY TRIAL // A security researcher demoed at the Black Hat security conference how the AutoComplete function in older versions of Internet Explorer can be abused to steal sensitive information about users. The attack involves tricking victims into visiting a maliciously crafted website.
AutoComplete is a feature that has been present in browsers for well over a decade. It is aimed at making the task of filling in Web forms easier. When enabled, data inputted into form fields, such as usernames, email addresses, addresses, phone numbers, credit card details, is saved by the browser and offered the next time when it is required.
This is done by remembering the user-supplied value and associating it with the name attribute of the form field it was inputted in. For example, if the user writes an e-mail address into an input field with name=”email”, that data will be available for selection for any field with the same name on any website.
AutoComplete can store multiple values for the same type of field. These are listed when the user starts typing something into it. A particular entry can be selected by pressing the down arrow on the keyboard as many times as necessary and then hitting Enter.
The problem is that key presses can also be triggered via scripting. “All a malicious website must do is create a text field with a commonly used attribute name, again such as 'email,' then dispatch a series of down arrow and enter keystroke events with javascript. By initiating Down-Down-Enter, the first AutoComplete value of that field becomes accessible to javascript where it can sent to a remote location,” Jeremiah Grossman, the researcher who presented the concept at Black Hat, explains.
It's important to note that only versions 6 and 7 of Internet Explorer are vulnerable to this kind of attack. According to recent browser market share estimations.that covers almost 30% (500 million) of all Internet users. Safari used to be vulnerable too until two days ago, when Apple issued a patch addressing the bug.
The most obvious form of mitigation is to upgrade to Internet Explorer 8 or switch to some other unaffected browser. However, a lot of companies and organizations still enforce the use of Internet Explorer 6 or 7 on their networks for compatibility reasons. For such users, who are tied to a vulnerable version of the browser, the only option is to disable AutoComplete entirely.
You can follow the editor on Twitter @lconstantin