Monday, August 02, 2010

Breaking Browsers: Hacking Auto-Complete (All Materials Available)

BlackHat was one amazing ride. Over 5,000 people attended, a conference record. I got to see a ton of friends and colleagues and was fortunate enough to meet many new and interesting people. Of course a big highlight for me was my presentation, in which roughly 800 - 1,000 people showed up. A great turn out considering the talk was up against really solid and well-known presenters like Haroon Meer, Moxie Marlinspike, Christofer Hoff, and Ivan Ristic. Aside from some projector glitches and a failed cookie eviction demo everything went smoothly. From feedback in the hallway much of the audiences pin-drop silence was due to shock given how ridiculously simple yet effective these hacks were. :)

Essentially I described how a malicious website could steal their visitors names, job title, workplace, physical address, telephone number, email addresses, usernames, passwords, search terms, social security numbers, credit card numbers, and on and on by manipulating a Web browsers HTML form auto-complete / autofill functionality. For good measure I also showed show a Web page could evict all of a users cookies thereby automatically logging users out of all their current sessions, delete tracking cookies, and so on. Lastly, with only clever bits of of javascript, these attacks impact millions of Web users cheaply via online advertising networks. Yes, a lot of fun.

My complete “Breaking Browsers: Hacking Auto-Complete” slide deck is available. I’ve put up a series of blog posts describing each of the distinct Web hacking techniques complete with proof-of-concept code, screen shots, videos, and technical explanations. Enjoy!

Other closely related Auto-Complete / AutoFill bugs:

5 comments:

Benji said...

Is going into the browsers security/personal settings and deleting previously stored sensitive passwords enough to prevent them being compromised or are they still stored and vulnerable to the techniques detailed above even after being deleted by the user.

Benji said...

Is going into the browsers security/personal settings and deleting previously stored sensitive passwords enough to prevent them being compromised or are they still stored and vulnerable to the techniques detailed above even after being deleted by the user.

Jeremiah Grossman said...

@Benji: That depends on the browser you are using. IE 6/7 and Safari have not been properly patched. IE8/9, Chrome, and Firefox are generally going to be the best choices to protect your auto-complete data. For passwords though, all are susceptible in some way. You might consider a third-party password manager to use instead.

Benji said...

Thank you for the reply Jeremiah.

Can I ask, just to clarify, is turning off the auto-complete and password manager options in a browser like Firefox or Chrome (that I use) then deleting (through the browsers dialog box) previously stored passwords and auto-complete data, mean that (even if the my browser is compromised) the data won't be there to steal because it's been deleted and won't be inadvertently re-captured because the Auto-Complete and Password Remembering functionality has been turned off?

I'm sorry if I'm being dense. But your article was a wake-up call as my main email account and even some internet banking data was auto-completing. So I've taken the steps detailed above to protect myself and am now entering this data manually every time. I'd like to be able to recommend my friends do the same so I need to know if taking the steps above actually makes a difference.

Thanks Again.

Jeremiah Grossman said...

@Benji: Yes. If you disable the auto-complete features and remove the data, then if you machine / browser is compromised in some way, that data will not be lost -- because it doesn't exist. However, if you machine is hacked, you likely have bigger problems than auto-complete. Best to keep secure is all facets.

For myself, I think securing a piece of paper with my passwords is easier and safer than anything on my computer. Food for thought.