Auto-complete: browsers disclose private data - Update

    Date22 Jul 2010
    Posted ByAlex
    In the run-up to his presentation at the Black Hat conference, Jeremiah Grossman of White Hat Security told The Register that users who allow their browsers to auto-complete frequently used form fields, such as names or email addresses, may become an easy target for data thieves. For instance, auto-complete data can reportedly be retrieved automatically via JavaScript in Safari 4 and 5. To exploit the flaw a crafted web page is created with various input fields with such typical labels as name, email address or credit card number. A script is created which tries out all possible first letters in these fields. This triggers the auto-complete feature which kicks in once the first character has been entered. If the browser auto-completes the letter to make a word, the script processes the entered value. This can even be done invisibly via hidden form fields.

    Grossman informed Apple about the data leak on the 17th of June but says that so far he has not received any reply, other than an automated confirmation of receipt. A similar form of this attack scenario is already familiar from versions 6 and 7 of Microsoft Internet Explorer. In combination with cross-site scripting, Chrome and Firefox are also said to be vulnerable. There, attackers can even obtain data which the browsers' auto-complete feature only enters into the relevant web page

    You are not authorised to post comments.

    LinuxSecurity Poll

    Has your email account ever been pwned in a data breach?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.