• Categories

  • Archives

    « Home

    Ars Technica: How script kiddies can hijack your browser to steal your password

    Ars Technica reports on a security issue for Internet browsers that could affect the privacy of your online passwords:

    Be careful what you type on your computer while surfing the Web. It very well could be funneled to a script kiddie who has appropriated a handful of lines of code and inserted it into his site.

    The hack has been possible for years, but two proofs of concept published this month graphically demonstrate just how easy it is for even savvy people to fall for it. Both demonstrations use JavaScript to hijack the search command found in all standard browsers. The script is activated when a user presses the ctrl+f or ⌘+f keys, causing whatever is typed after that to be sent to a server under the control of the website operator rather than to the browser’s search box.

    Proofs of concept here and here show how this method could be used to trick people into divulging their password or credit card number respectively. The pages pose as lists that catalog leaked user data and invite visitors to search it to see if their information is included. […]

    There are at least two possible solutions to reduce threats like these. One is tweaking the user interface so search boxes are in a part of the browser that can’t be confused with Web content. Browser designers who wanted to adopt this approach might be able to learn from changes Microsoft has made to recent versions of Windows that cause Web content to be shaded when sensitive system messages are being displayed. An alternate fix could involve displaying a warning when sites call preventDefault to cancel events registered as a browser key binding.

    Given the frequency of posts purporting to contain passwords, credit card numbers, and other details leaked from popular websites, it’s not a stretch to think plenty of people use the search feature to see if their personal information is included. If you’ve ever typed data into a browser search box that you wouldn’t want outsiders to see, you’re in good company.

    Leave a Reply