Wednesday, January 19, 2011

Hacking Auto-Complete

Jeremiah's Research:

Established Recommendation:
Disable "autocomplete" or Set autocomplete="off" in input tag password field.
This is 99% ignored by majority of web developers today.

Before Jeremiah's Research, it was widely believed that this autocomplete issue is ONLY a local privacy issue. Attackers who physically gain access to a victim's machine can gain access to his browser autocomplete values.

Lesson Learnt:
Research security-related recommendations that have been acted upon issues which are considered as low-risk or impossible-to-happen.

Work harder or think out of the box to create an amazingly PoC that transforms such low-risk to medium/high one.

No comments:

Post a Comment

secure configurations for Laravel - The PHP Framework

This framework is makes security simple to achieve.  Out of all non-default settings, the little following can be set to achieve higher secu...