Black Hat: Most browsers can be made to give up personal data

The flaw Jeremiah Grossman found in Internet Explorer had been discovered independently by someone else in 2008, but so far is still unpatched, he says

All the most commonly used Internet browsers are vulnerable to exploits that can force them to cough up users' personal information that can be used to hack into bank accounts or set them up for other attacks, the Black Hat 2010 conference will be told this week.

"None of the tools I will demonstrate are really difficult," says Jeremiah Grossman, CTO of WhiteHat Security who will present the briefing "Breaking browsers: Hacking Auto-Complete" at the conference.

He says his exploits can coax browsers to give up the information automatically stored by browsers in a feature called auto-complete, which is designed to make it simpler to fill out forms on Web sites that users intend to go to. This includes name, address, e-mail address and in some cases passwords used for accessing sites such as online banking, credit card numbers and search terms that have been entered.

"It's a privacy and a security issue," he says.

Some of the information the browsers relinquish can be used to set up multi-stage attacks where the user is drawn in to giving up more information or to download malware that compromises e-mail or bank accounts.

The surest way around the problem is to turn the auto-complete feature off, but he acknowledges that some people may prefer the convenience it offers to blocking the risk it represents.

Grossman says he had to come up with different exploits for different browsers, but that he found a way to compromise auto-complete on different versions of Internet Explorer, Safari, Chrome and Firefox. This includes Internet Explorer 6 and 7, which account for a third of the browsers used on the Internet, he says.

He says he has notified the makers of the browsers but none has told him of definite plans to fix what he describes as flaws. More than one exploit uses simulated keystrokes to start entering the user's name, and then the feature kicks in to yield more.The fact that each browser required a different exploit indicates the problems are with the software coding. "I think they could be fixed," he says.

The flaw Grossman found in Internet Explorer had been discovered independently by someone else in 2008, but so far is still unpatched, he says.

Read more about wide area network in Network World's Wide Area Network section.

Tags securityWhiteHat SecurityBlack Hat 2010software

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?