Feeds

IE and Safari lets attackers steal user names and addresses

Ripe for the picking, researcher says

Protecting against web application threats using SSL

The Internet Explorer, Firefox, Chrome, and Safari browsers are susceptible to attacks that allow webmasters to glean highly sensitive information about the people visiting their sites, including their full names, email addresses, location, and even stored passwords, a security researcher says.

In a talk scheduled for next week's Black Hat security conference in Las Vegas, Jeremiah Grossman, CTO of White Hat Security, plans to detail critical weaknesses that are enabled by default in the browsers, which are the four biggest by market share. The vulnerabilities have yet to be purged by the respective browser makers despite months, and in some cases, years of notice.

Among the most serious is a vulnerability in Apple's Safari and earlier versions of Microsoft's IE that exposes names, email addresses, and other sensitive information when a user visits a booby-trapped website. The attack exploits the browsers' autocomplete feature used to automatically enter commonly typed text into websites. It works by creating a webpage with fields carrying titles such as “First Name,” “Last Name,” “Email Address,” and “Credit Card Number” and then adding javascript that simulates the user entering various letters, numbers or keystrokes into each one.

Users who in the past have used the autocomplete features to store that information in versions 6 and 7 of IE or versions 4 and 5 of Safari will find that the information will be automatically zapped to the rogue website. No interaction is necessary other than to visit the page. Webmasters can set the input fields to be invisible to better conceal the attack.

In the case of Safari, Grossman's proof-of-concept attack simulates a user entering various letters or numbers into the fields. In a demonstration, when the script entered the letter J under a field titled “Name,” the browser automatically exposed “Jeremiah Grossman” to the web server. Grossman said he alerted Apple to the vulnerability on June 17, but received no reply other than an automatic response saying his message had been received.

“I would never have talked about this publicly if Apple had taken this seriously,” he told The Register. “I figured somebody else must have found this before because it's so brain-dead simple.” When he sent a follow up query “I never heard anything back, human or robotic.”

Tricking IE 6 and 7 into coughing up the autocomplete details works in a similar fashion, but instead of simulating the entering of numbers or letters into a field, Grossman enters a user's down arrow twice and then the enter key to extract the stored information. If more than one record is stored in that field, the script will repeat the process so they can be lifted as well.

Grossman's research is the latest to shatter the widely held myth that web surfing is largely an anonymous act, at least when done from a public or widely used IP address. In May, researchers demonstrated how a decade-old browser history disclosure vulnerability made the vast majority of web users vulnerable to practical attacks that lifted their viewing habits, including news articles they've read and the Zip Codes they've entered into online forms. That same month, separate researchers showed how most browsers leave behind digital fingerprints that can be used to uniquely identify their users.

Grossman's research take those findings to new highs. In addition to the weaknesses in IE and Safari, he has uncovered flaws in Mozilla Firefox and Google Chrome that can expose passwords stored by the browsers. The feature is designed to automatically enter the user name and password when a user visits a site such as Gmail or Facebook. The researcher says it's possible for unscrupulous webmasters to steal that information by hiding malicious code on their pages. For the attack to work, an XSS, or cross-site scripting vulnerability must be present on the site on which the stored password is used.

Grossman's Black Hat presentation will also demonstrate how a webmaster can silently delete all of a user's browser cookies. The mass cookie deleter works by setting thousands of cookies as soon as a user visits the site. When the number of cookies set exceeds a certain amount – it's about 3,000 for Firefox and just slightly higher for other browsers – all older cookies will automatically be erased. His proof-of-concept takes about 2.5 seconds. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.