Browser Autofill Profiles Can Be Abused For Phishing Attacks (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Browser Autofill Profiles Can Be Abused For Phishing Attacks (bleepingcomputer.com)

Posted by EditorDavid on Sunday January 8, 2017 @08:34PM from the I-know-what-you-typed-last-summer dept.

An anonymous reader quotes Bleeping Computer: Browser autofill profiles are a reliable phishing vector that allow attackers to collect information from users via hidden form fields, which the browser automatically fills with preset personal information and which the user unknowingly sends to the attacker when he submits a form... Finnish web developer Viljami Kuosmanen has published a demo on GitHub... A user looking at this page will only see a Name and Email input field, along with a Submit button. Unless the user looks at the page's source code, he won't know that the form also contains six more fields named Phone, Organization, Address, Postal Code, City, and Country. If the user has an autofill profile set up in his browser, if he decides to autofill the two visible fields, the six hidden fields will be filled in as well, since they're part of the same form, even if invisible to the user's eye.

Browsers that support autofill profiles are Google Chrome, Safari, and Opera. Browsers like Edge, Vivaldi, and Firefox don't support this feature, but Mozilla is currently working on a similar feature.

112 comments

Min score:

Reason:

Sort:

Just solve the bug... by Anonymous Coward · 2017-01-08 20:49 · Score: -1

"don't autofill hidden form fields". Kudos to the researcher, but hardly a topic worthy of lengthy discussion?
1. Re:Just solve the bug... by Kkloe · 2017-01-08 20:53 · Score: 1
  
  Then you can with css and\or using images or other things to cover up the non-hidden fields.
  
  Best thing would make them autofillable with a browser command that javascript and such cant use.
2. Re:Just solve the bug... by darkain · 2017-01-08 21:10 · Score: 1
  
  How exactly would that even solve the issue? As soon as the user hits "submit", the data is submitted. ZERO JavaScript required for this particular phishing attack as it is already.
3. Re:Just solve the bug... by Kkloe · 2017-01-08 21:26 · Score: 1
  
  ?, it is not even that, that data can be submitted to the server before you click anything as the fields gets auto-filled when you enter the page, then it just about having a js-trigger who listen on x-field-changed that will send the filled data before anything is clicked by the user.
4. Re:Just solve the bug... by hcs_$reboot · 2017-01-08 21:38 · Score: 5, Insightful
  
  "don't autofill hidden form fields"
  How do you know it's hidden, for sure? The fields may be displayed in a non-showing mode in css (visible:hidden, display:none), or, worse, the fields might be shown in the same background color as the page (white on white). The fields could also be displayed with a 1px width... or buried somewhere within some text three pages down below...
  
  The autofil feature needs to be smarter, and show the user the list of fields to be filled, and ask if it's ok.
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
5. Re:Just solve the bug... by geekmux · 2017-01-08 23:12 · Score: 2, Insightful
  
  ...The autofill feature needs to be smarter, and show the user the list of fields to be filled, and ask if it's ok.
  Uh, ask the user?
  The user who abuses the I'm-too-lazy-to-type autofill feature?
  The user who will instantly dismiss any form of notification that requires reading and accept anyway?
  You mean that user?
  Seems you have forgotten about the mentality that created shit like autofill in the first place.
6. Re:Just solve the bug... by hcs_$reboot · 2017-01-08 23:51 · Score: 1
  
  The user sees a bunch of fields that are not supposed to be filled. And of course he may click ok without further check. The solution is not perfect but is much better than the current "no warning" solution.
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
7. Re:Just solve the bug... by Opportunist · 2017-01-09 00:19 · Score: 2
  
  I feel kinda odd for suggesting something I saw in a MS product, but how about the Excel approach? When you start to type in a field, it offers you a known text that would complete what you started.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
8. Re:Just solve the bug... by Big+Hairy+Ian · 2017-01-09 00:28 · Score: 1
  
  FFS just don't autofill particularly not with ID & Password which it has to be storing in a way it can unencrypt to plain text because that's a bad enough attack vector on its own
  
  --
  Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
9. Re:Just solve the bug... by asylumx · 2017-01-09 00:34 · Score: 1
  
  Or perhaps "don't auto-fill any field if the user doesn't interact with that field" -- don't auto-fill the whole form, for example, just go one field at a time.
10. Re:Just solve the bug... by coofercat · 2017-01-09 00:36 · Score: 2
  
  Click to fill fields you want maybe?
11. Re:Just solve the bug... by Anonymous Coward · 2017-01-09 01:22 · Score: 1
  
  This is exactly what Opera's Wand feature was. If I'm not wrong, it stopped existing when they moved to Chromium.
12. Re:Just solve the bug... by Anonymous Coward · 2017-01-09 02:48 · Score: 0
  
  ?, it is not even that, that data can be submitted to the server before you click anything as the fields gets auto-filled when you enter the page, then it just about having a js-trigger who listen on x-field-changed that will send the filled data before anything is clicked by the user.
  Yes, that is possible, but how exactly does the use of JavaScript qualify as a "it is not even that" to a post about not using JavaScript?
13. Re:Just solve the bug... by Anonymous Coward · 2017-01-09 02:51 · Score: 0
  
  Then you can with css and\or using images or other things to cover up the non-hidden fields.
  I meant hidden as in not visible, not hidden as in <input type="hidden" />.
14. Re:Just solve the bug... by AvitarX · 2017-01-09 04:04 · Score: 1
  
  Though this doesn't require JS to work (as once one hits submit it goes anyway), but it does give me an idea for a pretty much total fix browser side.
  Fields auto fill yellow, they aren't actually "filled" until they're clicked and turn white. Hidden fields would be unclickable, and never actually sent.
  Additionally, this wouldn't work for attempts to swipe via JS showing all fields, but grabbing the auto complete profile before submit.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
15. Re:Just solve the bug... by Yvan256 · 2017-01-09 04:30 · Score: 1
  
  .hidden_field
  {
  margin-left: -999999;
  }
16. Re:Just solve the bug... by thegarbz · 2017-01-09 04:55 · Score: 1
  
  "don't autofill hidden form fields"
  How do you know it's hidden, for sure?
  How do you know if it's hidden nefariously? There are plenty of websites which show an increasing progression of forms (next buttons give me the shits) where new fields come into view after you fill out ones previously.
  But hey if this kills that web design practice I'm for it.
17. Re:Just solve the bug... by hcs_$reboot · 2017-01-09 05:01 · Score: 1
  
  missing unit
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
18. Re:Just solve the bug... by JustAnotherOldGuy · 2017-01-09 05:10 · Score: 1
  
  Hidden fields would be unclickable, and never actually sent.
  Errr....hidden fields are unclickable, but they do need to be sent.
  Hidden fields are part of normal form elements and often (usually) contain information that is required when submitting the form.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
19. Re:Just solve the bug... by AvitarX · 2017-01-09 05:45 · Score: 1
  
  Sorry, I meant to say fields with hidden visibility (color tricks, size tricks, etc) would never be sent if the auto complete was not put into the field (by the browser) until it was clicked.
  For the sake of slurping information, I assumed these were not fields kg the type hidden, but fields hidden from being seen, like text fields that couldn't be seen.
  If the browser didn't fill the DOM until a field was interacted with, then it couldn't be sneakily taken.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
20. Re:Just solve the bug... by Qzukk · 2017-01-09 06:17 · Score: 1
  
  hidden fields are unclickable, but they do need to be sent
  The point here is that hidden/offscreen/behind logo/transparent/etc AUTOFILL fields should NOT be sent.
  While the idea has merit for consideration, the issue I see with it is going to be blind/tab navigation where you can tab into things you can't see and therefore confirm them. Screen readers should read the text being inserted and thus alert the user, but how many times have you ignored the fact that focus jumps all over when you're tabbing through a login form? (It's a minor annoyance for me when I tab from the username field and end up on some help button, tab again and end up on some lost password button, tab again and end up on some checkbox to remember me, before finally getting to the password box. The steam checkout page used to be a complete nightmare for navigation.) Would you really notice if you hit tab and the focus didn't go where you think it should? Or would you just keep tabbing until it got where you want.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
21. Re:Just solve the bug... by Anonymous Coward · 2017-01-09 07:04 · Score: 0
  
  Indeed, although with that number it would work with almost any unit.
22. Re:Just solve the bug... by JustAnotherOldGuy · 2017-01-09 07:28 · Score: 1
  
  Sorry, I meant to say fields with hidden visibility (color tricks, size tricks, etc) would never be sent if the auto complete was not put into the field (by the browser) until it was clicked.
  Ahh, okay, my misunderstanding.
  -
  
  For the sake of slurping information, I assumed these were not fields kg the type hidden, but fields hidden from being seen, like text fields that couldn't be seen.
  If the browser didn't fill the DOM until a field was interacted with, then it couldn't be sneakily taken.
  I'd bet there's still a way to fill in the fields (or extra alt-fields) by stealing the information...probably using some ajax and dom parsing and other sneaky tricks. For example, you could dynamically create some legit hidden fields on demand as soon as the submit function was triggered, fill in whatever info you want into the newly-created fields, and they'd be sent along with the rest of the form.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
23. Re:Just solve the bug... by JustAnotherOldGuy · 2017-01-09 07:37 · Score: 1
  
  The point here is that hidden/offscreen/behind logo/transparent/etc AUTOFILL fields should NOT be sent.
  Not only should they not be sent, they shouldn't even be filled in. But, deciding whether to fill them in often comes down to trying to guess the intent. Is the field just below the scroll, or is it really hidden in some illegitimate way? Maybe it's hidden in some legitimate way. It could be tough to determine why the field isn't visible, or even if it's not really visible. Hell, you could make a div act exactly like a form field, hidden or not.
  But frankly, even not sending the hidden fields wouldn't stop the problem from happening- with some sneaky javascript form fiddling you could copy the data from the hidden fields into some dynamically-created "legit" hidden fields, and they'd get sent along with all the other (valid) fields when the form was submitted.
  Using a browser these days is a lot like playing Russian Roulette.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
24. Re:Just solve the bug... by Kkloe · 2017-01-09 07:59 · Score: 1
  
  ok, still, how would the browser know if a element is not visible, check the discussion below as they talk about.
25. Re:Just solve the bug... by Kkloe · 2017-01-09 08:09 · Score: 1
  
  because he was talking when the submit action is called, the submit will not be called unless you press or something triggers a submit. And I was responding that you dont need to even press submit to send the form information to the server
  as I understood hes statement was that it would go:
  enter page->form is filled by the browser->user presses submit->information is sent to server as I said:
  enter page->form is filled by the browser->js triggers->information is sent to server (no user interaction is needed beside visiting that page)
  
  that why I was proposing that if the browser supports autofill, it is the browser who fills the form, but to do that, it requires some input from the user that can not be called by a js-script or anything in-bedded in the page
26. Re:Just solve the bug... by AvitarX · 2017-01-09 08:23 · Score: 1
  
  That's fine, but if the site is creating the data, it's not really slurping "private" information.
  My understanding from the summary is that this attack works by having a visible name and e-mail field, and invisible address fields.
  If one fills out the first two (less personal) info, they are leaking their address and phone number (by the auto fill of the other fields).
  If the browser (an update I suspect will come soon after this being revealed, or at least implemented like this in browsers implementing this in the future) simply left the autofill information unavailable to the DOM until the user actually clicked to fill a field, this attack no longer works.
  You do this by instead of filling the field, have an icon in it or some such, and a click fills it, still quite convenient for the user, but protected from secret fields the user can't see.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
27. Re:Just solve the bug... by roca · 2017-01-09 09:07 · Score: 1
  
  That is exactly what Firefox does today.
28. Re:Just solve the bug... by JustAnotherOldGuy · 2017-01-09 13:31 · Score: 1
  
  That's fine, but if the site is creating the data, it's not really slurping "private" information.
  I wasn't clear enough when I write that, and that's my fault.
  The only reason for ajax is so that you could send the data out without having to even submit the form. It's not pulling data from the site, it's sending it to god knows where without anyone actually submitting the form.
  
  You do this by instead of filling the field, have an icon in it or some such, and a click fills it, still quite convenient for the user, but protected from secret fields the user can't see.
  They'll just have their malicious javascript click the icon, intercept the data, and silently copy it to a hidden field.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
29. Re:Just solve the bug... by AvitarX · 2017-01-09 16:40 · Score: 1
  
  Except the browser doesn't need to put the icon in the DOM either.
  The browser can far something that the user can interact with, but not JS.
  The icon would be drawn by the browser, not the website, it wouldn't be any more accessible (due to implementation) to JS than a separate window.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
30. Re:Just solve the bug... by Opportunist · 2017-01-09 22:26 · Score: 1
  
  Ok, now I feel even odder for suggesting something Firefox does...
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
31. Re:Just solve the bug... by JustAnotherOldGuy · 2017-01-10 02:54 · Score: 1
  
  Except the browser doesn't need to put the icon in the DOM either.
  The browser can far something that the user can interact with, but not JS.
  The icon would be drawn by the browser, not the website
  These sentences seem to contradict one another, and I'm not sure what "The browser can far something that the user can interact with". (??)
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
32. Re:Just solve the bug... by AvitarX · 2017-01-10 05:15 · Score: 1
  
  My browser can draw something not in the DOM (for example, it makes autofilled fields yellow, but I assume JS doesn't see that).
  My browser can draw things on webpages that don't exist on the page (in the simplest form, a webpage cannot interact with the elements of an iframe (at least it didn't used to be able to).
  My point is the icon to click is created by the browser, not the webpage, and it can be rendered to my screen without the website having any ability to interact with it via JS.
  By requiring true user interaction to actually fill the form (as in put field contents into the DOM) there is no way for information to be scraped that the user did not place there.
  as for my inattentive auto correct to "far" I'm at a loss too, probably "draw"
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Obvious solution by BlueLightning · 2017-01-08 20:49 · Score: 1

Surely just only auto-fill visible fields?
1. Re:Obvious solution by Anonymous Coward · 2017-01-08 21:00 · Score: 2
  
  Determining visibility of an element is exceptionally hard in a browser. There can be overlays, transparancy, dynamic elements, or simply making elements visible for a split second in a corner, for autofill to work, then capturing the data and removing the elements. I'm sure we can come up with more creative workarounds. Supposedly Firefox works around the issue by prompting the user which fields to autofill.
2. Re:Obvious solution by Shane_Optima · 2017-01-08 21:24 · Score: 3, Informative
  
  Surely just only auto-fill visible fields?
  That sounds tricky as hell... how many different ways of hiding the fields are there? They could be tiny, they could be behind another element, they could be unlabeled with white text on a white background, they could be at the bottom of the page past the point where most people will bother scrolling, etc.
  
  If autofill absolutely must be used, the correct way to do this would be to warn the user with a popup that the website is requesting information XYZ, not unlike how they currently have a popup saying that a website is requesting your detailed location information.
  
  Also, I'm astonished this attack hasn't popped up before now.
3. Re:Obvious solution by Anonymous Coward · 2017-01-08 22:50 · Score: 0
  
  Determining visibility of an element is exceptionally hard in a browser.
  Not as hard as you think.
  1. Only autofill fields actually shown. I.e. not those fields that need scrolling to show. Only fields within the visible area, of whatever size the user uses for his browser window. Cuts out fields hidden by scrolling and fields hidden by offsetting to (-16383,-16383) or whatever.
  2. Don't autofill anything that is hidden/invisible/unclickable or unreachable through tabbing. Gets rid of many easy cases
  3. Don't fill anything (partially) overlaid by anything else. The browser do the layout, and knows this.
  4. Don't fill anything with a weak contrast (white on white, black on black, or light gray on white. Subtracting foreground color from background is easy)
  5. Don't fill anything more than 20% transparent.
  6. Don't fill anything specifying a different font than other fields. Rules out 1-pixel fonts, fonts where all characters are blank, and so on.
  7. Don't fill a field if there isn't room to show all of the filled-in information - without overlapping anything or going (partially) off-screen.
4. Re:Obvious solution by Luthair · 2017-01-09 03:29 · Score: 2
  
  Sometimes there are hidden fields which back other elements. There are also legitimate cases, e.g. Google's login page has a hidden password field which an autofill will complete allowing the user to skip the second step (though it isn't really clear to me why a login page needs separate steps for the username and the password...)
5. Re:Obvious solution by Sigma+7 · 2017-01-09 04:02 · Score: 1
  
  In any case where a website does silly stuff with entry fields, it's trivial to allow filling specific fields through a right-click menu, or through an easy method. Firefox already does this.
  
  why a login page needs separate steps for the username and the password.
  The theory behind this was to make it harder to sniff usernames and passwords, ignoring the fact that any sniffing utility already had a workaround.
6. Re:Obvious solution by Sigma+7 · 2017-01-09 04:34 · Score: 1
  
  If autofill absolutely must be used, the correct way to do this would be to warn the user with a popup that the website is requesting information XYZ
  Why must everything be a popup warning? You can instead have this in a right-click menu, or simply have the content available if the user presses a down-arrow in the relevant field.
  
  Also, I'm astonished this attack hasn't popped up before now.
  It first happened on MySpace, because that site allowed creating custom forms that tricked certain browsers into providing username/password information.
7. Re:Obvious solution by omnichad · 2017-01-09 04:38 · Score: 1
  
  4. Don't fill anything with a weak contrast (white on white, black on black, or light gray on white. Subtracting foreground color from background is easy)
  Sometimes when styling custom form elements, the border goes on a container rather than the element itself.
8. Re:Obvious solution by thegarbz · 2017-01-09 04:59 · Score: 1
  
  Except for the many website which hide field for aesthetic reasons which then come into view as you fill out other ones.
  But hey I'm all for killing that stupid practice.
9. Re:Obvious solution by Shane_Optima · 2017-01-09 05:32 · Score: 1
  
  You can instead have this in a right-click menu, or simply have the content available if the user presses a down-arrow in the relevant field.
  A lot of people are suggesting solutions in this vein, which is changing the nature of autofill by making it more cumbersome to use. I don't use it myself and don't plan to, but I suspect that one of the reasons why some people do like it is the ease of use. The popup, problematic as it is, is the one way to do this with a minimum of extra fuss. If you want to argue people are going to just click though it, well, there's no saving those people anyway.
10. Re:Obvious solution by jaa101 · 2017-01-09 12:59 · Score: 1
  
  You do realise that JavaScript can change the document at any time. A page could leave the elements visible for a tenth of a second, long enough for the checks you list to succeed, and then hide the elements before the user even notices. How hard will that be to deal with?
11. Re:Obvious solution by Sigma+7 · 2017-01-10 11:10 · Score: 1
  
  Popups cause unnecessary extra fuss in the event that you don't want to use autofill, no different than Clippy saying "It looks like you are writing a letter", and no different than popups from ad networks asking you to try out the poop-providing-penis-pills.
  Each time I restart Firefox, I get a popup asking me to enter the master password for saved logins. Since this popup is window modal, it slows down the process by claiming that logging into a site that I've already logged into is more important than actually doing what I want.
  These popups would provide exactly zero benefit for any user, since it's a tacked-on patch for something that shouldn't be an issue in the first place. If these popups start appearing for autofill, I'd find a way to disable autofill entirely because that will fix two problems at once.
I'm shcoked, I tell you. Shocked. by Anonymous Coward · 2017-01-08 20:50 · Score: 1

Come on, folks. It's obvious that browsers by now are the primary vulnerability our there (except perhaps the IOThingies, which are even worse).
A huge, complex piece of software, with several interpreters built in, ready to execute whatever they hoover up on the 'nets, with no clear business model (do they belong to the users or to the advertising industry? Most of the fat money flowing in the general browser's direction comes from... you guessed it; and these days money "means" ownership, alas) and with fuzzy borders...
What could possibly go wrong?
And no, not ranting at the heroes who try to get that running: they're heroes. But they're tilting at windmills.
Stupid feature anyway by know1 · 2017-01-08 20:50 · Score: 2

I don't understand people who even save passwords, let alone full profiles of themselves.
1. Re:Stupid feature anyway by KiloByte · 2017-01-08 21:02 · Score: 2
  
  I don't understand people who even save passwords, let alone full profiles of themselves.
  Saving passwords works separately and differently than form autofill. I find it useful for shit sites (ie, 95% of all passwords) -- and if you can get them if you pwn my browser, oh well.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
2. Re: Stupid feature anyway by Anonymous Coward · 2017-01-08 21:02 · Score: 0
  
  WAtch out! We got a badass over here!
3. Re: Stupid feature anyway by Anonymous Coward · 2017-01-08 22:30 · Score: 0
  
  WAtch out! We got a badass over here!
  Watch out!!!! we got a dumb ass over heeeeaaaaahhh!
4. Re:Stupid feature anyway by slashrio · 2017-01-08 23:16 · Score: 2
  
  I do save passwords, but in a separate vault. I pick them up (copy) there and paste them when needed.
  My 'vault' is a VM with no internet access under QubesOS installed on an encrypted HD.
  Of course there are backups on USB sticks, encrypted.
  
  --
  "Trump!!", the new Godwin.
5. Re:Stupid feature anyway by Anonymous Coward · 2017-01-09 10:19 · Score: 0
  
  Or come up with an algorithm to generate your user names and passwords based on the site you're visiting and you never need to remember a password again nor do you have to sync passwords across computers nor need to worry about a 3rd party getting hacked. Also come up with consistent method of tweaking said passwords for when some sites have crazy restrictions.
Bad design by Mats+Svensson · 2017-01-08 20:51 · Score: 1

Should be pretty easy to program this function properly.
How about, for example, making sure the filled in elements are 100% visible to the user?
1. Re:Bad design by Anonymous Coward · 2017-01-08 21:06 · Score: 0
  
  That's fantastically complicated. A better idea is to present the user with a UI pane rendered above the viewport that allows the user to see and confirm all the fields that could be autofilled.
2. Re:Bad design by darkain · 2017-01-08 21:13 · Score: 3, Interesting
  
  This is already easily broken, though. If you're only doing UI overlays on the Z axis as close to the user as possible, just fix position of the element outside of the view frame, such as top:-10000px
  A better solution would be to list all fields which will receive input data. Have the browser list out every single field. Inform the user BEFORE the action is taken.
3. Re:Bad design by Anonymous Coward · 2017-01-08 21:29 · Score: 0
  
  And how many people will read that list and verify that it looks like what it's supposed to look like?
  Or to put it another way: how many people simply check the box and click "I agree" when presented with a great long screed of legalese, rather than actually reading and understanding the legalese? People are lazy; given that the likelihood of a false positive is FAR more likely than hitting a genuine phishing attack, this will be just another annoyance that the computer pops up that has to be clicked on to make it go away.
  This is not a solution, in other words - all it will do is shift the blame onto the innocent user who shouldn't need to know this crap.
4. Re:Bad design by Anonymous Coward · 2017-01-08 21:58 · Score: 0
  
  Or just offer an (ignorable) popup in the corner of the screen that says "click here if you want to fill in the following fields/values" and list what data is going to be filled in. That would even work better, because the way it works now it has a tendency to autofill even when I don't want to. Or it autofills the wrong data, then when I correct the autofill, some of the old values (that only existed in the first incorrect data) are still there.
5. Re:Bad design by Opportunist · 2017-01-09 00:23 · Score: 2
  
  The ones that care.
  To the rest: Learn to read or get off the internet. No sympathy.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This is why HTML should be display neutral by Actually,+I+do+RTFA · 2017-01-08 21:19 · Score: 4, Insightful

HTML was supposed to define a page semantically (e.g. header 1). Letting it get crufted up with instructions on how to make it look pretty was a horrible idea (albeit one that came early on). A form should look like a form. No, I don't need whatever new hotness some designer invented with some colorscheme A/B tested to hell and back to try to trick me into clicking the desired button.

--
Your ad here. Ask me how!
1. Re:This is why HTML should be display neutral by Anonymous Coward · 2017-01-09 03:53 · Score: 0
  
  Even plain HTML can still trick you easily. For example, a page might have a login form at the top, then a bunch of articles and then tuck the offending fields somewhere down below.
2. Re:This is why HTML should be display neutral by thegarbz · 2017-01-09 05:05 · Score: 1
  
  Letting it get crufted up with instructions on how to make it look pretty was a horrible idea
  Sure if you wanted the internet to be DoA as a publishing platform it was a horrible idea. HTML was designed to present some very basic information. We've come a long way from the original design intent from HTML.
Proof of concept demo by Shane_Optima · 2017-01-08 21:35 · Score: 5, Funny

"don't autofill hidden form fields". Kudos to the researcher, but hardly a topic worthy of lengthy discussion?
Hmm.

If Field.IsCleverlyHiddenByAPhisher == False Autofill(Field) else /* do nothing */ end

Wow, you're right! That was easy!
1. Re:Proof of concept demo by hcs_$reboot · 2017-01-08 22:48 · Score: 1
  
  Besides the language, the code is good!
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
2. Re:Proof of concept demo by mwvdlee · 2017-01-08 23:08 · Score: 4, Informative
  
  If Field.IsCleverlyHiddenByAPhisher == False
  Whilst your at it, could you also add a `If Site.IsTryingToInstallMalware", so we can finally get rid of that problem too?
  I'd also like a "If DatingSite.WillProfileMakeOutOnFirstDate", but I think it might be too easy for you.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
3. Re:Proof of concept demo by Shane_Optima · 2017-01-08 23:26 · Score: 2
  
  I'm just waiting for someone to mention that my solution would be totally unnecessary if only phishing sites would properly support the standards outlined in RFC 3514.
4. Re:Proof of concept demo by hackwrench · 2017-01-08 23:45 · Score: 1
  
  a patch for FreeBSD 7 is available and is kept up-to-date
  Clearly, if this was implemented on every router, they could scan packets and set the evil bit and propagate it back to the originators. This could put a stop to DDOSs.
5. Re:Proof of concept demo by AmiMoJo · 2017-01-09 00:39 · Score: 1
  
  Field.IsCleverlyHiddenByAPhisher
  Do you have any idea how hard that field is to implement? I guess not.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
6. Re:Proof of concept demo by Shane_Optima · 2017-01-09 00:47 · Score: 1
  
  Woosh.
7. Re:Proof of concept demo by belgianpainter · 2017-01-09 01:20 · Score: 1
  
  How could this code possibly work? It's not indented properly!
8. Re:Proof of concept demo by AmiMoJo · 2017-01-09 01:24 · Score: 1
  
  Fair cop. Well played.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
9. Re:Proof of concept demo by Shane_Optima · 2017-01-09 01:28 · Score: 1
  
  I assure you the original was two-space indented. Slashdot doesn't seem to accept the leading spaces, even within the code or quote tags, while in HTML mode.
10. Re:Proof of concept demo by IWannaBeAnAC · 2017-01-09 03:01 · Score: 1
  
  That kind of code indicates some rather flawed logic. Why would you ever want to compare something against a boolean? Better to write simply If !Field.IsCleverlyHiddenByAPhisher ...
11. Re:Proof of concept demo by Anonymous Coward · 2017-01-09 03:20 · Score: 0
  
  Damn, beat me to it.
12. Re:Proof of concept demo by Anonymous Coward · 2017-01-09 03:27 · Score: 1
  
  In the name of portability? I regularly do comparisons for true and false. Granted it's because I do C coding which doesn't formally define true and false as part of the language and instead relies on typedefs or #defines. And yes, people always define false to be 0, and true to be 1, but just in case some jackass at some point in the future flips those, it's best to do the explicit comparison and let the compiler do the simplification.
13. Re:Proof of concept demo by IWannaBeAnAC · 2017-01-09 03:38 · Score: 1
  
  Argh, in C, comparisons against true (TRUE) or false (FALSE) are even worse style. Indeed, in C, defining TRUE == 1 is erroneous, because in C anything that is zero is false, anything that is non-zero is true. So in C, code such as
  if (a == TRUE)
  is a bug. Any non-zero value represents true, but this comparison only tests for a == 1.
  Comparisons against FALSE are OK, but flawed logic. It is anyway a boolean, so why not just test directly?
  if (a)
  In C, you should *never* do a comparison against TRUE. If you really want to do a comparison against a boolean value (which is never necessary, but perhaps, in some cases, might be a useful form of documenting your intent), compare against FALSE. eg,
  if (a == FALSE)
  if (a != FALSE) // the proper way of comparing a == TRUE
14. Re:Proof of concept demo by IWannaBeAnAC · 2017-01-09 03:41 · Score: 1
  
  And if someone flips the meaning of TRUE and FALSE, then you have much bigger problems on your hands. The whole basis of comparison operations in C is based around zero versus non-zero. The value '1' has no significance whatsoever.
15. Re: Proof of concept demo by Anonymous Coward · 2017-01-09 06:04 · Score: 0
  
  I copy and pasted it into my IDE and it doesn't work. Should I open up a stackoverflow thread?
16. Re:Proof of concept demo by Qzukk · 2017-01-09 06:19 · Score: 1
  
  They made up their own code tag called <ecode> for that. It's been a while since I've tried it though, it might be broken too like half the other stuff around this joint.
  
  if next_line_is_indented: still works
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
17. Re:Proof of concept demo by Anonymous Coward · 2017-01-09 08:53 · Score: 0
  
  you reiterate the point but then say "I guess not". I'm not getting this. Are you a fucking moron or am I?
The browser should just show what it's filling in by Anonymous Coward · 2017-01-08 21:57 · Score: 0

The browser should show a dialog listing all the information that it's going to fill in. OK or Cancel. Done.
This Kills Autofill by jaa101 · 2017-01-08 22:41 · Score: 4, Interesting

The only responsible action for the browser companies to do is to kill off autofill. There's no reliable way for the browser to be sure the user can see which fields have been autofilled. Any attempt to popup and warn the user is going to be annoying, reduce the convenience of the feature, be confusing and people will just click-through 99% of the time anyway. This is why we can't have nice things.
1. Re:This Kills Autofill by geekmux · 2017-01-08 23:18 · Score: 1
  
  The only responsible action for the browser companies to do is to kill off autofill. There's no reliable way for the browser to be sure the user can see which fields have been autofilled. Any attempt to popup and warn the user is going to be annoying, reduce the convenience of the feature, be confusing and people will just click-through 99% of the time anyway. This is why we can't have nice things.
  Perhaps the only responsible action intelligent people should take is to leave the features intact (the lazy masses will demand this anyway), and allow the idiots who favor convenience over privacy to learn their own lessons the hard way.
  Wisdom is a great teacher, but ignorance often demands Experience to be their guide in life.
2. Re:This Kills Autofill by Anonymous Coward · 2017-01-08 23:32 · Score: 0
  
  Any attempt to popup and warn the user is going to be annoying, [...]
  Then let it be annoying. Also, add a checkbox, that needs to be ticked for the data to be sent, next to each field to give the user complete control of it.
3. Re:This Kills Autofill by samjam · 2017-01-09 00:25 · Score: 1
  
  Do you REALLY think that the popup will reduce the convenience MORE than REMOVING THE FEATURE ENTIRELY?
  
  --
  blog.sam.liddicott.com
4. Re:This Kills Autofill by Anonymous Coward · 2017-01-09 01:10 · Score: 0
  
  The worst part is this was 100% predictable that this would happen. ANY time you have data automatically populated it can be abused. Something that lowers the barrier to entry for an attacker is a bad idea in general.
5. Re:This Kills Autofill by AmiMoJo · 2017-01-09 01:28 · Score: 2
  
  It would be better for everyone if there was some standard way for web sites to request certain personal information that is necessary for online shopping and the like. Easier for users to have a consistent UI instead of every site using a different form, and better for security as the data can be better controlled.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
6. Re:This Kills Autofill by jaa101 · 2017-01-09 02:58 · Score: 1
  
  No, obviously not; that's why I listed multiple reasons why autofill has to go. The big one is that people will just click-through without understanding.
7. Re:This Kills Autofill by tlhIngan · 2017-01-09 06:09 · Score: 1
  
  The only responsible action for the browser companies to do is to kill off autofill. There's no reliable way for the browser to be sure the user can see which fields have been autofilled. Any attempt to popup and warn the user is going to be annoying, reduce the convenience of the feature, be confusing and people will just click-through 99% of the time anyway. This is why we can't have nice things.
  Or how about simply modifying the browser to only autofill fields that are visible when submitted? Chrome highlights auto-filled fields, so it knows when it did it. And the browser also knows which fields are user-visible (it's the UI its presenting to the user). Thus, if a field isn't visible, it isn't filled in. And you can even make it so it's only fields visible when the button is clicked (mouseDown) is when the fields are captured so no funny Javascript shenanigans with making more fields visible before submission. You click it, the field lists are captured and locked, Javascript can try to play around with the fields but not have any effect (the field list is already captured), and then the form is submitted as is.
  You keep the functionality, you prevent this sort of secret information leakage down, and the user doesn't see any visible change. Win-win.
The whole model is rotten to the core. by Anonymous Coward · 2017-01-08 22:42 · Score: 0

Watch most comments (except a few snarky ones) fixing a touch of paint on a window sill here or on a bulging patch there: the whole house's frame is rotten and the roof is already leaning perilously.
As long as we can't answer the question properly "whose browser is it"? we are not at the meat of the matter.
Stakeholders, in rough order of involvement:
- advertising industry
- state actors, more or less shady
- "intellectual property" industry
- 499 more, not named here
- the user
Guess how much weight the user's interests have. Of course, for those stakeholders at the top, user's *trust* makes a difference (as long as there are different "brands" of browsers), but only perception really matters: a warm, fuzzy feeling that "you are being taken care of".
What really drives me crazy is the blindness of techies, insisting that "making sure the filled in elements are 100% visible to the user" or "just offer an (ignorable) popup in the corner" or "HTML should be display neutral" would fix anything. Best case it'd stuff that hole in the (totally rotten) front door threshold while the mud is rushing in through than gap left by the collapsed rear wall.
1. Re:The whole model is rotten to the core. by Anonymous Coward · 2017-01-08 22:55 · Score: 0
  
  As long as we can't answer the question properly "whose browser is it"? we are not at the meat of the matter.
  A good point, but easily resolved by sticking to an open-source browser. There are several, some are not funded by advertising. Ditch the commercial alternatives, and you can have browsers that do what you want.
  Don't try to save the world - the sheep will always use windows and whatever default browser there is. But you and anyone who care can have a decent browser and a web that is ok by our own standards.
2. Re:The whole model is rotten to the core. by Anonymous Coward · 2017-01-08 23:06 · Score: 0
  
  > A good point, but easily resolved by sticking to an open-source browser. There are several, some are not funded by advertising.
  Sadly, this isn't true. The humongous (and often thankless) amount work a modern browser devours has to be financed some way: guess where the money the Mozilla Foundation receives comes from: mostly Google, basically an ad company. Now name me a *relevant*, *free* browser, independent of Webkit, Blink or Gecko (heck: name *any* browser independent of those three and Trident).
  And don't get me wrong, I'm still thrilled that such a huge piece of software is free, and those there in the hurricane's eye are heroes, but I just refuse to close my eyes to the price we're paying for that. Perhaps we gotta pay it, perhaps not, perhaps we haven't even a choice, whatever. But denial ain't a solution.
I don't save passwords, I don't autofill forms by Anonymous Coward · 2017-01-08 23:39 · Score: 0

I don't autofill forms. Ever. Since I'll review the data in the fields anyway, I'll just type it myself or use the down arrow to get a historical entry all by itself. If it goes yellow and attempts to fill in a set of fields at once I skip it.
Re:One user by hackwrench · 2017-01-08 23:51 · Score: 1

I am one user who uses autofill and would glance over such a thing to make sure I am sending what I think I am sending. Recently the autofill has been appending the day of my birth to my address. I even saw it append it twice! I would really welcome such a feature for reasons in addition to accidental overshare.
Re:Saved passwords by hackwrench · 2017-01-09 00:01 · Score: 1

Well, Ideally you would have a different password for every site you log into. Some sites store the password or some way the current password can be recovered, so that if they get hacked or something the attacker will try it on other sites. You can try to remember them all, but I prefer to keep them in a password protected cache that I remember the password to and don't save.
Confirmation dialog with all fields? by swb · 2017-01-09 00:23 · Score: 2

The browser should place an "autofill" button on the toolbar or someplace off limits from any web site manipulation.
This button should open a dialog box listing all the fields to be filled with the data to be filled, with checkboxes to enable/disable filling certain fields and to edit the data that is submitted.
This would allow the user to be certain as to what form fields were filled and which ones weren't in a UI environment not controlled/manipulated by the web site.
Perhaps they could even extend it to create "profiles" of common field data that would allow you to choose from various sets of data (different addresses, phone numbers, etc) to fill in.
But they should make use of the browser-controlled autofill dialog mandatory and never fill web page fields unless the user interacted with the browser autofill dialog so that sites couldn't mine data through hidden fields or cause accidental autofills from taking place.
1. Re:Confirmation dialog with all fields? by StikyPad · 2017-01-09 04:44 · Score: 1
  
  It seems like the best solution in this case is to simply admit defeat -- that autofill profiles aren't a good idea -- and remove the feature. Your workaround, and others proposed, suffer from the weakness that they're more complicated and higher-risk than simply typing the information into the appropriate fields, the way God intended.
  
  --
  https://www.eff.org/https-everywhere
2. Re:Confirmation dialog with all fields? by swb · 2017-01-09 05:13 · Score: 1
  
  I think the reality is that there's too many forms which need filling out too often and auto-fill isn't going away, ever, so the answer is how to make it safer and more transparent to the user what info is being filled in.
  At least with a user-initiated form-fill action supported with a confirmation dialog box with the fields & data to be filled prevents the most common mishaps of existing form-fill -- filling in the wrong data into the wrong fields or getting hidden fields filled with data they shouldn't have.
  I'm not sure how much more complicated it is, either. You *could* make it complex with lots of feature-add-ons (varying profiles or form-fill templates), but at least then you're supplying more user control over what gets filled and where.
You FAil It. by Anonymous Coward · 2017-01-09 00:26 · Score: -1

the fact5 and fuelinUg internal is dying.Things
Never use autofill by Anonymous Coward · 2017-01-09 00:27 · Score: 1

I never use autofill and I turn it off whenever possible. It is the fear of exactly the same kind of shit that keeps me away from it.
Basically, if the browser knows about your identifying information, you should assume an attacker knows already.
Re:Saved passwords by know1 · 2017-01-09 02:04 · Score: 1

Still stupid. I have seperate passwords for all the sites/devices I own. The trick to remembering them is to have a system - so if you forget it you can work out what the system is depending on the site. Don't do something stupid like have the website name as the password though, obviously...and I can't tell you my system because then it would be compromised. Have a think though, and I'm sure you could come up with something.
Lynx by Frosty+Piss · 2017-01-09 03:09 · Score: 1

HTML was supposed to define a page semantically (e.g. header 1). Letting it get crufted up with instructions on how to make it look pretty was a horrible idea (albeit one that came early on). A form should look like a form. No, I don't need whatever new hotness some designer invented with some color scheme A/B tested to hell and back to try to trick me into clicking the desired button.
The solution to your problem is this great browser calld Lynx. Google it!

--
If you want news from today, you have to come back tomorrow.
1. Re:Lynx by edtice1559 · 2017-01-09 03:55 · Score: 2
  
  Unfortunately many sites don't render well in Lynx. I hope that as the HTML standards evolve Lynx will work better. Also there isn't as much active Lynx development and, sadly, it has it's own security holes ;(
Re:Saved passwords by Ungrounded+Lightning · 2017-01-09 03:17 · Score: 1

The trick to remembering them is to have a system
On problem with systems is the wide variety of disallowed / allowed / required characters in passwords for various sites ("minimum of eight characters, at least one lower case, one uppper case, and one digit (but we won't accept puncuation marks and don't say that)"), in rulesets that are only displayed when you set the password, not when you enter it.

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
"when he submits a form" by Anonymous Coward · 2017-01-09 03:20 · Score: 0

In order to be affected you have to submit a form to a site. File this one under "you get what you deserve."
Re:Saved passwords by mark-t · 2017-01-09 03:36 · Score: 1

Is there some reason you can't be bothered to write down the ruleset if you think you wouldn't remember it?

--
File under 'M' for 'Manic ranting'
Re:Saved passwords by hackwrench · 2017-01-09 03:40 · Score: 1

My typing isn't perfect and it would be frustrating attempting to type the password in over and over again for one.
HA! And Chrome wants to autofill even CC numbers! by Anonymous Coward · 2017-01-09 04:24 · Score: 0

Combine this with the fact that Chrome has been wanting as of late to autofill even CC numbers .... New vector for collecting CC numbers for fraudulent charges
What is so bad about what it can get by SuperKendall · 2017-01-09 06:39 · Score: 1

Of all the items the hidden autofill can access, "phone" is a little annoying. But not that much. I can pretty easily now block calls and span texts.
It's not like it is auto-filling CC details for example. That is triggered separately from address data.
Are you worried someone is going to send you a catalog you did not ask for? Welcome to the party pal.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Re: Saved passwords by Anonymous Coward · 2017-01-09 08:11 · Score: 0

Dude, just get KeePass.
I can't be the only one... by Macdude · 2017-01-09 08:36 · Score: 1

I can't be the only one who has disabled auto-fill from day 1 for precisely this reason, am I?
Security isn't hard if you think about it during the design stage and you're willing to scrap designs that are inherently insecure, such as automatically sending personal information to random web sites.

--
"Grab them by the pussy" -- President of the United States of America
Re:Saved passwords by Ungrounded+Lightning · 2017-01-09 09:58 · Score: 1

Is there some reason you can't be bothered to write down the ruleset if you think you wouldn't remember it?
You're kidding, right? Writing down the rule set would be writing down ALL of my passwords, past, present, and future. B-b
But my point was that:
- The variability of "password quality" rules means the ruelset has to be complex enough to handle different cases for sites with different rulesets.
- The lack of display of the site's password quality rules at login means a password generation ruleset isn't enough. You still need to record something about the particular site to know which workaround branch of the ruleset to use with the site.

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Re:Saved passwords by mark-t · 2017-01-09 10:12 · Score: 1

How does writing down the ruleset that a site requires, which is information that you get when you first create the password, allow anyone to guess your passwords? This is information that anyone who was setting up a password on that site would already know anyways, or at least be able to trivially get. You would be no more compromising your own passwords with such information than you would be compromising everybody else's.

--
File under 'M' for 'Manic ranting'