Monday, October 24, 2011

Autocomplete..again?!

This is a short post about autocomplete feature in browsers.

Long Story Short:
Q: What's the issue?
A: It is possible to get key down / up events via JavaScript when a drop down autocomplete menu is shown. This means that it is possible to lure a user to play a game and steal arbitrary values from browsers autocomplete feature.

Q: How the browser vendors should fix it?
A: They should tie the information a site asks via autocomplete inputs to the site itself.
They in fact don't check the origin of the input tag, but they definitely should.

Short Story Long
It's known. Browser autocomplete feature has issues since they have been deployed.
And not only the 2k styled dispatchEvent trick.

In fact in 2k8 I showed a kind of interesting technique applied to Opera input type=url tag, where by using a game and the keydown/keyup events it was possible to steal every url the victim had visited earlier.

I hoped it was a lession learned for every vendor, but it seems it wasn't.

The proof of concept works on Firefox <=7.0.1, but it can be ported on IE as well.

Yeh, sure, under Firefox/IE the drop down autocomplete menu is not hidden but, in the end, does it matter?

Google chrome at least does not send keydown/keyup events to JS when the autocomplete drop down menu is focused, and even if I'm not saying it not exploitable, at least it's not as easy to do it as in Firefox 7.0.1 or IE 7-8-9.

Checker
So here's a very minimal greasemonkey script (tested on chrome and firefox + greasemonkey) whose aim is to show if autocomplete is on or off.
Just drag and drop it and set the url filter to '.*' in order to let it work on every url.
Here's a sample:



Feel free to ask about details on the proof of concept, even if it should be kind of easy to understand the concept.

Ah normal users, like me, should simply disable autocomplete on forms.
Don't know how to do it?
Just search the web. Or your browser's preferences.

1 comment: