Tuesday, September 09, 2008

Internet Explorer Security Hole - A Better Example

Again, about the security hole I talked about last posts, but this time with a really simple example.

How does the example work



  • Open Internet Explorer, whatever version

  • Go in this page

  • Write a fake user name and a fake password, or a fake email address and a password

  • Click Submit



What does the example do



  • Emulates user actions via javascripts

  • with some version of IE, it could be able to grab both fields values

  • in any case, it demonstrates you that every site could steal your compiled fields in every other site, if the autocomplete option is not forced to be disabled



What could do a malicious, and hidden, code



  • steal your data

  • steal your email

  • steal your credit card information (a really famous company, as example, suffers this problem, so somebody could steal credit cards details of million of people)

  • steal your details

  • steal your searches via common search engines

  • etc, etc



More details in my old post I wrote last Saturday, the one that few people read carefully, understanding what was going on.

This is not a new bug, it exists, and I knew it, since 2004 or before, when banks did not use security checks, yet.

Kind Regards, and please choose another browser until Microsoft will not fix this problem for every IE.

3 comments:

ryanmr said...

I read the article last week and I was impressed that IE6 had such a horrible issue. (Yes, impressed that M$ didn't fix it yet.)

Andrea Giammarchi said...

It's not only about entire logins, it is about private user data that could be easily grabbed from malicious sites.

As I told before, it is not that "magic" that spammers can obtain in such easy way our email addresses.

Fortunately, I am using FireFox since its name was FireBird :geek:

Alejandro Moreno said...

Ok, it does work. But you need to have very specific Auto Complete settings. And the password field wasn't exposed, no matter how much I tried. To be fair, credit card info is never a password field, so this is a problem.

(In case it matters, I'm using XP SP2 and IE7 with all the latest patches.)

Go to Tools -> Internet Options -> Content -> AutoComplete Settings. There are four (4) checkboxes there:

* Web addresses,
* Forms,
* User names and passwords, and
* Prompt to save passwords.

In my tests, the script picked up my user name only if "Forms" was checked. Somewhat unexpectedly, the "User names and passwords" checkbox had no effect.