Hacking Auto-Complete
Jeremiah's Research:
http://www.slideshare.net/jeremiahgrossman/breaking-browsers-hacking-autocomplete-blackhat-usa-2010
Established Recommendation:
Disable "autocomplete" or Set autocomplete="off" in input tag password field.
This is 99% ignored by majority of web developers today.
Myth:
Before Jeremiah's Research, it was widely believed that this autocomplete issue is ONLY a local privacy issue. Attackers who physically gain access to a victim's machine can gain access to his browser autocomplete values.
Lesson Learnt:
Research security-related recommendations that have been acted upon issues which are considered as low-risk or impossible-to-happen.
Work harder or think out of the box to create an amazingly PoC that transforms such low-risk to medium/high one.
http://www.slideshare.net/jeremiahgrossman/breaking-browsers-hacking-autocomplete-blackhat-usa-2010
Established Recommendation:
Disable "autocomplete" or Set autocomplete="off" in input tag password field.
This is 99% ignored by majority of web developers today.
Myth:
Before Jeremiah's Research, it was widely believed that this autocomplete issue is ONLY a local privacy issue. Attackers who physically gain access to a victim's machine can gain access to his browser autocomplete values.
Lesson Learnt:
Research security-related recommendations that have been acted upon issues which are considered as low-risk or impossible-to-happen.
Work harder or think out of the box to create an amazingly PoC that transforms such low-risk to medium/high one.
Comments
Post a Comment