tag:blogger.com,1999:blog-34454975.post5308646886274619595..comments2023-06-28T16:58:41.189+02:00Comments on Web Reflection: Security Basis, and an Internet Explorer data stealerAndrea Giammarchihttp://www.blogger.com/profile/16277820774810688474noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-34454975.post-83806549773494492972008-11-12T02:37:00.000+01:002008-11-12T02:37:00.000+01:00I had been trusting Firefox's encrypting data, but...I had been trusting <B>Firefox's</B> encrypting data, but after reading this, we tried it out. Sure enough, we found that form data (a credit card number) was accessible for autocompletion even though we diligently refused to give it the password (it asked for one on each character typed into a login field as it tried to autocomplete!)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34454975.post-318314100289776192008-09-09T18:58:00.000+02:002008-09-09T18:58:00.000+02:00Good catch! This worked on your example page in b...Good catch! This worked on your example page in both IE6 and IE7 for me (didn't try IE8).<BR/><BR/>The page itself would have to include this malicious code. One obvious entry point: advertisers. Just like the O'Reilly porn redirects that took place awhile back, this could be used to steal u/p's. My bank better not be including random advertising JavaScript -- that would be something to check out.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34454975.post-68695731733547999962008-09-09T00:15:00.000+02:002008-09-09T00:15:00.000+02:00I always thought about this when creating form inp...I always thought about this when creating form inputs and using the autocomplete. For example naming an input "q" to access all past google searches (I do this for a youtube plugin), but I automatically assumed this was not accessible via JavaScript because that would be such a large security hole. Leave it to the IE guys though, to prove me wrong!<BR/><BR/>I also thought about a similar security risk with Mozilla's home function, but have not found a way to exploit it: <BR/>http://readystate4.com/2008/06/30/mozillas-home-javascript-function/Anonymousnoreply@blogger.com