Wednesday, January 19, 2011

Hacking Auto-Complete

Jeremiah's Research:
http://www.slideshare.net/jeremiahgrossman/breaking-browsers-hacking-autocomplete-blackhat-usa-2010


Established Recommendation:
Disable "autocomplete" or Set autocomplete="off" in input tag password field.
This is 99% ignored by majority of web developers today.


Myth:
Before Jeremiah's Research, it was widely believed that this autocomplete issue is ONLY a local privacy issue. Attackers who physically gain access to a victim's machine can gain access to his browser autocomplete values.


Lesson Learnt:
Research security-related recommendations that have been acted upon issues which are considered as low-risk or impossible-to-happen.

Work harder or think out of the box to create an amazingly PoC that transforms such low-risk to medium/high one.

No comments:

Post a Comment