Feeds

IE and Safari lets attackers steal user names and addresses

Ripe for the picking, researcher says

SANS - Survey on application security programs

The Internet Explorer, Firefox, Chrome, and Safari browsers are susceptible to attacks that allow webmasters to glean highly sensitive information about the people visiting their sites, including their full names, email addresses, location, and even stored passwords, a security researcher says.

In a talk scheduled for next week's Black Hat security conference in Las Vegas, Jeremiah Grossman, CTO of White Hat Security, plans to detail critical weaknesses that are enabled by default in the browsers, which are the four biggest by market share. The vulnerabilities have yet to be purged by the respective browser makers despite months, and in some cases, years of notice.

Among the most serious is a vulnerability in Apple's Safari and earlier versions of Microsoft's IE that exposes names, email addresses, and other sensitive information when a user visits a booby-trapped website. The attack exploits the browsers' autocomplete feature used to automatically enter commonly typed text into websites. It works by creating a webpage with fields carrying titles such as “First Name,” “Last Name,” “Email Address,” and “Credit Card Number” and then adding javascript that simulates the user entering various letters, numbers or keystrokes into each one.

Users who in the past have used the autocomplete features to store that information in versions 6 and 7 of IE or versions 4 and 5 of Safari will find that the information will be automatically zapped to the rogue website. No interaction is necessary other than to visit the page. Webmasters can set the input fields to be invisible to better conceal the attack.

In the case of Safari, Grossman's proof-of-concept attack simulates a user entering various letters or numbers into the fields. In a demonstration, when the script entered the letter J under a field titled “Name,” the browser automatically exposed “Jeremiah Grossman” to the web server. Grossman said he alerted Apple to the vulnerability on June 17, but received no reply other than an automatic response saying his message had been received.

“I would never have talked about this publicly if Apple had taken this seriously,” he told The Register. “I figured somebody else must have found this before because it's so brain-dead simple.” When he sent a follow up query “I never heard anything back, human or robotic.”

Tricking IE 6 and 7 into coughing up the autocomplete details works in a similar fashion, but instead of simulating the entering of numbers or letters into a field, Grossman enters a user's down arrow twice and then the enter key to extract the stored information. If more than one record is stored in that field, the script will repeat the process so they can be lifted as well.

Grossman's research is the latest to shatter the widely held myth that web surfing is largely an anonymous act, at least when done from a public or widely used IP address. In May, researchers demonstrated how a decade-old browser history disclosure vulnerability made the vast majority of web users vulnerable to practical attacks that lifted their viewing habits, including news articles they've read and the Zip Codes they've entered into online forms. That same month, separate researchers showed how most browsers leave behind digital fingerprints that can be used to uniquely identify their users.

Grossman's research take those findings to new highs. In addition to the weaknesses in IE and Safari, he has uncovered flaws in Mozilla Firefox and Google Chrome that can expose passwords stored by the browsers. The feature is designed to automatically enter the user name and password when a user visits a site such as Gmail or Facebook. The researcher says it's possible for unscrupulous webmasters to steal that information by hiding malicious code on their pages. For the attack to work, an XSS, or cross-site scripting vulnerability must be present on the site on which the stored password is used.

Grossman's Black Hat presentation will also demonstrate how a webmaster can silently delete all of a user's browser cookies. The mass cookie deleter works by setting thousands of cookies as soon as a user visits the site. When the number of cookies set exceeds a certain amount – it's about 3,000 for Firefox and just slightly higher for other browsers – all older cookies will automatically be erased. His proof-of-concept takes about 2.5 seconds. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.