Hacking Auto-Complete

Jeremiah's Research:

Established Recommendation:
Disable "autocomplete" or Set autocomplete="off" in input tag password field.
This is 99% ignored by majority of web developers today.

Before Jeremiah's Research, it was widely believed that this autocomplete issue is ONLY a local privacy issue. Attackers who physically gain access to a victim's machine can gain access to his browser autocomplete values.

Lesson Learnt:
Research security-related recommendations that have been acted upon issues which are considered as low-risk or impossible-to-happen.

Work harder or think out of the box to create an amazingly PoC that transforms such low-risk to medium/high one.


Popular posts from this blog

XSS: Gaining access to HttpOnly Cookie in 2012

Jumping out of Touch Screen Kiosks