Clever Attack Allows Theft Of Names & Addresses From IE & Safari


There has been some very clever attacks lately, especially involving browsers and the kind of data they can leak when probed the right way. The biggest press recently was generated by the history leak that occurs in most browsers.

Another clever attack that got some coverage lately was tabnapping and the latest is another fascinating way to lift information from browsers using the auto-complete feature.

It’s good to see these kind of attacks, when you think about technically how they operate – they are fairly simple. But in saying that it takes a leap in logic to even get to the point where you can start coding for something like this.

The Internet Explorer, Firefox, Chrome, and Safari browsers are susceptible to attacks that allow webmasters to glean highly sensitive information about the people visiting their sites, including their full names, email addresses, location, and even stored passwords, a security researcher says.

In a talk scheduled for next week’s Black Hat security conference in Las Vegas, Jeremiah Grossman, CTO of White Hat Security, plans to detail critical weaknesses that are enabled by default in the browsers, which are the four biggest by market share. The vulnerabilities have yet to be purged by the respective browser makers despite months, and in some cases, years of notice.

Among the most serious is a vulnerability in Apple’s Safari and earlier versions of Microsoft’s IE that exposes names, email addresses, and other sensitive information when a user visits a booby-trapped website. The attack exploits the browsers’ autocomplete feature used to automatically enter commonly typed text into websites. It works by creating a webpage with fields carrying titles such as “First Name,” “Last Name,” “Email Address,” and “Credit Card Number” and then adding javascript that simulates the user entering various letters, numbers or keystrokes into each one.

It seems all 4 of the main browsers are susceptible to this, although the implementation varies slightly for each browser. Hacking wise that’s not a big problem as you can just do a user agent string identification when the user lands on the malicious page and serve them up with the relevant info grabbing script for their browser type.

The worst case scenario is if this flaw allows malicious pages to gather user passwords that are stored in the browser, combined with the ability to probe the browser to see which sites they have visited..it could multiply into a quite accurate and potentially dangerous attack.

The worst effected is the Safari and older versions of Internet Explorer.


Users who in the past have used the autocomplete features to store that information in versions 6 and 7 of IE or versions 4 and 5 of Safari will find that the information will be automatically zapped to the rogue website. No interaction is necessary other than to visit the page. Webmasters can set the input fields to be invisible to better conceal the attack.

In the case of Safari, Grossman’s proof-of-concept attack simulates a user entering various letters or numbers into the fields. In a demonstration, when the script entered the letter J under a field titled “Name,” the browser automatically exposed “Jeremiah Grossman” to the web server. Grossman said he alerted Apple to the vulnerability on June 17, but received no reply other than an automatic response saying his message had been received.

“I would never have talked about this publicly if Apple had taken this seriously,” he told The Register. “I figured somebody else must have found this before because it’s so brain-dead simple.” When he sent a follow up query “I never heard anything back, human or robotic.”

Tricking IE 6 and 7 into coughing up the autocomplete details works in a similar fashion, but instead of simulating the entering of numbers or letters into a field, Grossman enters a user’s down arrow twice and then the enter key to extract the stored information. If more than one record is stored in that field, the script will repeat the process so they can be lifted as well.

Apart from the above flaws he seems to have uncovered a whole lot of bugs in all the major browsers including ways to steal passwords from Firefox and Chrome by using bugs + XSS attacks.

Another neat trick is the ability to erase all cookies on a users computer, not really dangerous but certainly annoying. The trick is to spawn more cookies than the browser can handle (about 3000 for Firefox) so the browser will delete all older cookies. The PoC for this takes about 2.5 seconds!

It’ll be interesting to see the whole talk at BlackHat.

Source: The Register

Posted in: Exploits/Vulnerabilities, Privacy, Web Hacking

, , , , , , ,


Latest Posts:


zBang - Privileged Account Threat Detection Tool zBang – Privileged Account Threat Detection Tool
zBang is a risk assessment tool for Privileged Account Threat Detection on a scanned network, organizations & red teams can use it to identify attack vectors
Memhunter - Automated Memory Resident Malware Detection Memhunter – Automated Memory Resident Malware Detection
Memhunter is an Automated Memory Resident Malware Detection tool for the hunting of memory resident malware at scale, improving threat hunter analysis process.
Sandcastle - AWS S3 Bucket Enumeration Tool Sandcastle – AWS S3 Bucket Enumeration Tool
Sandcastle is an Amazon AWS S3 Bucket Enumeration Tool, formerly known as bucketCrawler. The script takes a target's name as the stem argument (e.g. shopify).
Astra - API Automated Security Testing For REST Astra – API Automated Security Testing For REST
Astra is a Python-based tool for API Automated Security Testing, REST API penetration testing is complex due to continuous changes in existing APIs.
Judas DNS - Nameserver DNS Poisoning Attack Tool Judas DNS – Nameserver DNS Poisoning Attack Tool
Judas DNS is a Nameserver DNS Poisoning Attack Tool which functions as a DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation.
dsniff Download - Tools for Network Auditing & Password Sniffing dsniff Download – Tools for Network Auditing & Password Sniffing
Dsniff download is a collection of tools for network auditing & penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, URLsnarf, and WebSpy passively monitor a network


One Response to Clever Attack Allows Theft Of Names & Addresses From IE & Safari

  1. alex2308 July 21, 2010 at 11:04 am #

    Well, it is not THAT new. You can even read about similar attacks in printed books (at least one – Hacking – The new generation).