Clever Attack Allows Theft Of Names & Addresses From IE & Safari

The New Acunetix V12 Engine


There has been some very clever attacks lately, especially involving browsers and the kind of data they can leak when probed the right way. The biggest press recently was generated by the history leak that occurs in most browsers.

Another clever attack that got some coverage lately was tabnapping and the latest is another fascinating way to lift information from browsers using the auto-complete feature.

It’s good to see these kind of attacks, when you think about technically how they operate – they are fairly simple. But in saying that it takes a leap in logic to even get to the point where you can start coding for something like this.

The Internet Explorer, Firefox, Chrome, and Safari browsers are susceptible to attacks that allow webmasters to glean highly sensitive information about the people visiting their sites, including their full names, email addresses, location, and even stored passwords, a security researcher says.

In a talk scheduled for next week’s Black Hat security conference in Las Vegas, Jeremiah Grossman, CTO of White Hat Security, plans to detail critical weaknesses that are enabled by default in the browsers, which are the four biggest by market share. The vulnerabilities have yet to be purged by the respective browser makers despite months, and in some cases, years of notice.

Among the most serious is a vulnerability in Apple’s Safari and earlier versions of Microsoft’s IE that exposes names, email addresses, and other sensitive information when a user visits a booby-trapped website. The attack exploits the browsers’ autocomplete feature used to automatically enter commonly typed text into websites. It works by creating a webpage with fields carrying titles such as “First Name,” “Last Name,” “Email Address,” and “Credit Card Number” and then adding javascript that simulates the user entering various letters, numbers or keystrokes into each one.

It seems all 4 of the main browsers are susceptible to this, although the implementation varies slightly for each browser. Hacking wise that’s not a big problem as you can just do a user agent string identification when the user lands on the malicious page and serve them up with the relevant info grabbing script for their browser type.

The worst case scenario is if this flaw allows malicious pages to gather user passwords that are stored in the browser, combined with the ability to probe the browser to see which sites they have visited..it could multiply into a quite accurate and potentially dangerous attack.

The worst effected is the Safari and older versions of Internet Explorer.


Users who in the past have used the autocomplete features to store that information in versions 6 and 7 of IE or versions 4 and 5 of Safari will find that the information will be automatically zapped to the rogue website. No interaction is necessary other than to visit the page. Webmasters can set the input fields to be invisible to better conceal the attack.

In the case of Safari, Grossman’s proof-of-concept attack simulates a user entering various letters or numbers into the fields. In a demonstration, when the script entered the letter J under a field titled “Name,” the browser automatically exposed “Jeremiah Grossman” to the web server. Grossman said he alerted Apple to the vulnerability on June 17, but received no reply other than an automatic response saying his message had been received.

“I would never have talked about this publicly if Apple had taken this seriously,” he told The Register. “I figured somebody else must have found this before because it’s so brain-dead simple.” When he sent a follow up query “I never heard anything back, human or robotic.”

Tricking IE 6 and 7 into coughing up the autocomplete details works in a similar fashion, but instead of simulating the entering of numbers or letters into a field, Grossman enters a user’s down arrow twice and then the enter key to extract the stored information. If more than one record is stored in that field, the script will repeat the process so they can be lifted as well.

Apart from the above flaws he seems to have uncovered a whole lot of bugs in all the major browsers including ways to steal passwords from Firefox and Chrome by using bugs + XSS attacks.

Another neat trick is the ability to erase all cookies on a users computer, not really dangerous but certainly annoying. The trick is to spawn more cookies than the browser can handle (about 3000 for Firefox) so the browser will delete all older cookies. The PoC for this takes about 2.5 seconds!

It’ll be interesting to see the whole talk at BlackHat.

Source: The Register

Posted in: Exploits/Vulnerabilities, Privacy, Web Hacking

, , , , , , ,


Latest Posts:


RidRelay - SMB Relay Attack For Username Enumeration RidRelay – SMB Relay Attack For Username Enumeration
RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.
NetBScanner - NetBIOS Network Scanner NetBScanner – NetBIOS Network Scanner
NetBScanner is a NetBIOS network scanner tool that scans all computers in the IP addresses range you choose, using the NetBIOS protocol.
Metta - Information Security Adversarial Simulation Tool Metta – Information Security Adversarial Simulation Tool
Metta is an information security preparedness tool in Python to help with adversarial simulation and assess security defense preparation and alerts.
Powershell-RAT - Gmail Exfiltration RAT Powershell-RAT – Gmail Exfiltration RAT
Powershell-RAT is a Python-based Gmail exfiltration RAT that can be used a Windows backdoor to send screenshots or other data as an e-mail attachment.
SCADA Hacking - Industrial Systems Woefully Insecure SCADA Hacking – Industrial Systems Woefully Insecure
It seems like SCADA hacking is still a topic in hacker conferences, and it should be with SCADA systems still driving power stations, manufacturing plants etc.
airgeddon - Wireless Security Auditing Script airgeddon – Wireless Security Auditing Script
Airgeddon is a Bash powered multi-use Wireless Security Auditing Script for Linux systems with an extremely extensive feature list.


One Response to Clever Attack Allows Theft Of Names & Addresses From IE & Safari

  1. alex2308 July 21, 2010 at 11:04 am #

    Well, it is not THAT new. You can even read about similar attacks in printed books (at least one – Hacking – The new generation).