Feeds

IE and Safari lets attackers steal user names and addresses

Ripe for the picking, researcher says

5 things you didn’t know about cloud backup

The Internet Explorer, Firefox, Chrome, and Safari browsers are susceptible to attacks that allow webmasters to glean highly sensitive information about the people visiting their sites, including their full names, email addresses, location, and even stored passwords, a security researcher says.

In a talk scheduled for next week's Black Hat security conference in Las Vegas, Jeremiah Grossman, CTO of White Hat Security, plans to detail critical weaknesses that are enabled by default in the browsers, which are the four biggest by market share. The vulnerabilities have yet to be purged by the respective browser makers despite months, and in some cases, years of notice.

Among the most serious is a vulnerability in Apple's Safari and earlier versions of Microsoft's IE that exposes names, email addresses, and other sensitive information when a user visits a booby-trapped website. The attack exploits the browsers' autocomplete feature used to automatically enter commonly typed text into websites. It works by creating a webpage with fields carrying titles such as “First Name,” “Last Name,” “Email Address,” and “Credit Card Number” and then adding javascript that simulates the user entering various letters, numbers or keystrokes into each one.

Users who in the past have used the autocomplete features to store that information in versions 6 and 7 of IE or versions 4 and 5 of Safari will find that the information will be automatically zapped to the rogue website. No interaction is necessary other than to visit the page. Webmasters can set the input fields to be invisible to better conceal the attack.

In the case of Safari, Grossman's proof-of-concept attack simulates a user entering various letters or numbers into the fields. In a demonstration, when the script entered the letter J under a field titled “Name,” the browser automatically exposed “Jeremiah Grossman” to the web server. Grossman said he alerted Apple to the vulnerability on June 17, but received no reply other than an automatic response saying his message had been received.

“I would never have talked about this publicly if Apple had taken this seriously,” he told The Register. “I figured somebody else must have found this before because it's so brain-dead simple.” When he sent a follow up query “I never heard anything back, human or robotic.”

Tricking IE 6 and 7 into coughing up the autocomplete details works in a similar fashion, but instead of simulating the entering of numbers or letters into a field, Grossman enters a user's down arrow twice and then the enter key to extract the stored information. If more than one record is stored in that field, the script will repeat the process so they can be lifted as well.

Grossman's research is the latest to shatter the widely held myth that web surfing is largely an anonymous act, at least when done from a public or widely used IP address. In May, researchers demonstrated how a decade-old browser history disclosure vulnerability made the vast majority of web users vulnerable to practical attacks that lifted their viewing habits, including news articles they've read and the Zip Codes they've entered into online forms. That same month, separate researchers showed how most browsers leave behind digital fingerprints that can be used to uniquely identify their users.

Grossman's research take those findings to new highs. In addition to the weaknesses in IE and Safari, he has uncovered flaws in Mozilla Firefox and Google Chrome that can expose passwords stored by the browsers. The feature is designed to automatically enter the user name and password when a user visits a site such as Gmail or Facebook. The researcher says it's possible for unscrupulous webmasters to steal that information by hiding malicious code on their pages. For the attack to work, an XSS, or cross-site scripting vulnerability must be present on the site on which the stored password is used.

Grossman's Black Hat presentation will also demonstrate how a webmaster can silently delete all of a user's browser cookies. The mass cookie deleter works by setting thousands of cookies as soon as a user visits the site. When the number of cookies set exceeds a certain amount – it's about 3,000 for Firefox and just slightly higher for other browsers – all older cookies will automatically be erased. His proof-of-concept takes about 2.5 seconds. ®

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?