I saw an article on The-H today, about the auto-complete feature being tricked to disclose passwords and private data on hidden form fields. Javascript is being used for this attack. I understand NoScript would prevent this attack on blacklisted sites. Does NoScript provide protection against this type of attack, even on sites that I allow?
http://www.h-online.com/security/news/i ... 43122.html
Auto-complete discloses private data
Auto-complete discloses private data
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7 ( .NET CLR 3.5.30729)
-
Giorgio Maone
- Site Admin
- Posts: 9524
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Auto-complete discloses private data
The most serious bug described in that article affects Safari, which allows any site to guess your previously entered text box values.
Firefox, like any other browser, can be victim of autocomplete (especially password-stealing) attacks on the very web site where these passwords are meant to be used.
To mount an attack, the malicious party must exploit a XSS vulnerability, in order to run attacker-controlled JavaScript onto the trusted website.
Fortunately NoScript DOES prevent XSS attacks from succeed, so yes, if you're a NoScript user you're protected everywhere.
Firefox, like any other browser, can be victim of autocomplete (especially password-stealing) attacks on the very web site where these passwords are meant to be used.
To mount an attack, the malicious party must exploit a XSS vulnerability, in order to run attacker-controlled JavaScript onto the trusted website.
Fortunately NoScript DOES prevent XSS attacks from succeed, so yes, if you're a NoScript user you're protected everywhere.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7