Browser Autocomplete Feature May Reveal Personal Data

Privacy-conscious Windows users might want to check this one out …

The autocomplete feature can be pretty handy at times. It helps you log in on your favorite website faster or load a website in your browser without having to enter the full web address. Researchers from Minded Security Labs have released a proof of concept that demonstrates how a third party website can get access to a browser’s autocomplete entries (which means stealing).

The proof of concept works in Firefox, but the security researchers state that other browsers are also affected by it. They explicitly mention Microsoft’s Internet Explorer and note that the Google Chrome may be vulnerable as well. They do however mention that an attack may not be as easy to implement for that browser due to the fact that Chrome does not “send keydown/keyup events to JS when the autocomplete drop down menu is focused”.

Here is how the issue can be exploited:

It is possible to get key down / up events via JavaScript when a drop down autocomplete menu is shown. This means that it is possible to lure a user to play a game and steal arbitrary values from browsers autocomplete feature.

The proof of concept page demonstrates how third party websites can steal autocomplete information from Firefox. The page can check if autocomplete information are available for sites such as Twitter, Facebook, Gmail, Microsoft or Yahoo logins as well as three different types of inputs.

form autocomplete stealer

According to the security researcher, browser vendors should implement a feature into their browsers that ties the autocomplete input to a particular website. The only way to protect the data from being stolen is to disable the browser’s autocomplete feature for forms and searches.

Firefox users can do that in the preferences under the Privacy tab.

firefox form history

Internet Explorer users can disable autocomplete under Internet Options > Content > AutoComplete > Settings.

internet explorer autocomplete

Are you using your browser’s autocomplete feature for forms? Let me know what you think of the vulnerability in the comments. (Thanks Venkat)


© Martin Brinkmann for gHacks Technology News | Latest Tech News, Software And Tutorials, 2011. | Permalink |
Add to del.icio.us, digg, facebook, reddit, twitter
Post tags: , , , , ,

Link to Original Content

Tags: , , , , ,

Comments are closed.