Slashdot Mirror
Less Than 1 in 10 Gmail Users Enable Two-Factor Authentication (theregister.co.uk)
It has been nearly seven years since Google introduced two-factor authentication for Gmail accounts, but virtually no one is using it. From a report: In a presentation at Usenix's Enigma 2018 security conference in California, Google software engineer Grzegorz Milka this week revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services. He also said only about 12 per cent of Americans have a password manager to protect their accounts, according to a 2016 Pew study.
That's a lot considering how many email boxes they have.
Not everyone wants to give Google more personal info -- working phone #, alternate email, etc and so forth.
Also, this doesn't work well with standards-compatible email clients like Thunderbird or K-9.
It's a fucking pain in the ass to use, and if you're into security, you're not using gmail...
About 3 years ago someone stole roughly 2.45 BTC from me.
The event was a real wake up call for me security wise. They hacked e-mail address to access a password reset form on coinbase and they used social engineering on my cell phone carrier to forward SMS messages (which I used as 2FA on coinbase) to steal that money from me. Ever since then I've had all my 2FA set up through google authenticator instead and 2FA set up on literally everything I can.
It was only worth about $700 at the time, but now . . .
In a bit of shameless internet panhandling, I accept Litecoin Donations at Lbd2oH9QsthD1GfuUXPyka12YxvWJYnBVf
Because I refuse to give Google my cell phone number to text me, because there is no way in hell they need to be able to track me even further.
That's a big old "hard no" there, chief.
Google's 2FA is as much about them getting more information about you as it is your security.
I use my gmail account as a spam dump - you want to send me something that I'm not asking for, you get my gmail account. I suspect many other people use it for that as well. Note that this only assumes accounts using the "gmail" domain and not business accounts that are hosted by Google (and are gmail accounts in all but name).
Next on the list are kids who wouldn't be savvy enough (or have a credit credit/cell phone), then I don't see them using two factor authentication. Then you have companies that create accounts for testing and demonstrations. Finally, you have people who don't think their privacy, information, social security or credit card numbers are important enough to warrant entering a number that comes through on their phones when they log into their GMail accounts. Put them all together and 90% not using two factor authentication seems reasonable.
For the many people that will disagree with this post, you can voice your concerns via email at myke.predko@gmail.com
Mimetics Inc. Twitter
Why is everyone talking about cellphone numbers and SMS?
Aren't we talking about Google's own Authenticator application?
#DeleteFacebook
The main reason that I haven't enabled 2-factor on my account is that U.S. cellular carriers charge not only for sent messages but also for received messages. T-Mobile, for example, charges its pay-as-you-go customers 10 cents to send and 10 cents to receive. And no, Google and Twitter don't allow use of a FIDO U2F key or a TOTP client without also having a mobile phone number set up.
Part of the problem with password managers is that the reviews are so poorly written. I have looked for: free, easy to use, cross-platform. Yes, of course I have googled it. I still cannot find one that is good enough to recommend to my students.
For example, when two people need (legitimate and approved) access to the same email account in order to receive confirmation codes from, say, our bank. The authenticators have to be set up simultaneously on two devices (one per person) and have to STAY in sync. If my wife's phone runs out of charge (this has happened), you have to go through the whole resync process again. I won't say it's a pain in the neck. I have a much lower opinion of it than that. I tossed two-factor out.
When Google sets up some method whereby two-factor can be (verifiably approved) so that two people can conveniently share an account. I'll be interested. But not until then.
You are correct that Google publishes a TOTP client called Google Authenticator. But when I installed Google Authenticator, I discovered that Google is unwilling to offer TOTP authentication unless the account holder has already linked a phone on a supported carrier. From "Install Google Authenticator":
I had 2FA enabled, then left my phone in an uber by accident and a subsequent passenger stole it. The emergency 2FA codes I'd printed out didn't work. In order to track and remotely disable my phone, I ended up having to use a computer which I'd thankfully left logged into gmail to disable 2FA for my account (which for some reason it allowed me to do without any 2FA code), after which I could do what needed doing. I haven't re-enabled it since because I realized that losing or breaking my phone is frankly more likely than having my password stolen, and losing my phone with 2FA enabled can be a disaster of its own (even if emergency codes work, what if I don't have them with me? And if I need to carry them with me whenever I stray more than an hour or so from home, that makes it much more likely that the emergency codes themselves could be lost or stolen.) As I learned after that incident, any other services you've tied into Google Authenticator 2FA also become a huge hassle to regain access to, because just installing Google Authenticator on your replacement phone won't cut it.
"Fewer."
(this is not a
Everyone thinks their secret box is more important than their neighbor's secret box.
Guess what, all your emails are boring! I've been an SA since the 1990s and root on thousands of Unix servers dating back to SunOS-4, and no one has anything interesting in their emails.
Stop inflating your egos by thinking everyone is after your special sauce. Unless you're connected to a politician or celebrity, no one gives the fattest rats posterior what you gotta say or what you're sending plaintext.
is to remind my girlfriend to buy dogfood when we're out. Good luck to anyone who steals access.
What I'm bitching about is if ANYTHING happens to either of the two devices, you have to go to a fair amount of trouble to reinitialize the synchronization of the Google apps. My wife's phone does NOT live a sheltered life and has gone down on more than one occasion.
If you're using Google Apps on a domain with a delegated SSO, MFA may not be an option for you.
Whoever chooses to use gmail isn't very serious about privacy anyway.
So far I don't trust any of the password managers available for mobile. Better to keep it all in my head.
Exactly my thinking. With a password manager they only need to get past one password to know everything. Not just what all your passwords are, but all the websites you have passwords for.
"That's the way to do it" - Punch
I hope they realize that some of us use many of these accounts with non-standard, human-less devices that aren't PCs, tablets, nor cellular phones.
You might want to look up what TOTP actually stands for. Hint: the first word is Time.
You can configure as many devices with the same seed as you like. Your wife simply needed to turn her phone back on and give it a moment to sync time with the cell network.
You can get rich if you own a politician, but you have to be rich to buy one in the first place.
You have to add a mobile number to set up FIDO U2F key or a TOTP client but you can just remove it right after. IDK why they do it that way.
Last I checked, removing your mobile number from your account had the side effect of also removing FIDO U2F or TOTP from your account. At least Twitter does that. From "Twitter's 2-factor authentication has a serious problem" by Jack Morse:
Does Google also disable TOTP access after you have removed your phone number?
With a password manager they only need to get past one password to know everything.
If you decide to put all your eggs in one basket, WATCH THAT BASKET!
He's getting rather old, but he's a good mouse.
The 2FA at my employer uses a text message to give me a code that I can then use to VPN in. That's great. Except when my phone doesn't get reception. Or when I'm working in a room where carrying wireless devices isn't permitted. Or if I forget to bring my phone with me. Security isn't for free.
If you are using a random unique password per site, then the additional protection offered by 2FA is effectively zero.
With a password that is not re-used, there are two possible attacks (1) phishing, (2) malware. If you are tricked into entering your password on a phishing site then you will almost certainly be tricked into entering your 2FA. If you have malware it can jack your session anyway.
"2FA isn't secure if it only relies on a phone number as a substitute for cryptography. A single call to the outsourced customer service department of your phone company could transfer your number to the sim card of a malicious actor."
So now it requires they know your phone number, and dedicate up to an hour or so of human time, of a human capable of social engineering a telco rep...to transfer a sim. They'll do that for a specific high value target, but not some rando.
Plus, without 2FA, i've already pwned your account and stolen your bitcoins by the time you read this post. With 2FA, assuming i can even figure out your phone number (not a given), I'll still be on hold with your telco for another 10 minutes before I can even attempt to start social engineering a SIM transfer.
Your absolutely right... 2FA isn't perfect, especially SMS based 2FA. But its about a million times better than no 2FA at all.
Passwords are bad, but are a lot less annoying than passwords plus 2FA. The loss of the second factor is basically a nightmare, and each service wants you to use their own app or whatever. Even changing phones becomes a hassle. I get it for an enterprise environment, where in an emergency, you can call your local IT guy an get them to reset it for you, but if something goes wrong with Google you're screwed. You can't even pay to talk to someone to get it fixed.
This is a moot point if you buy your own email. If somebody gets your password, change it yourself. Or, enable 2 factor authorization, and don't give Google your cell phone number. Email costs $2/month.
I don't respond to AC's.
Those numbers are completely absurd. Chrome + Safari alone is 70% of the browser market, and those both have built-in password managers.
So 58% of computer users don't know that they're already using a password manager.
Really?
Check out my sci-fi/humor trilogy at PatriotsBooks.
The way I see it, it's not a question of what information you do or do not give Google. If you choose to use their service, then you're agreeing to their terms, and part of those terms is the information they collect. Don't like it? Find another email provider who doesn't collect any infomation. If you're really serious about security, open your wallet and get your own email through a private provider, or stand up your own server that you can secure however you want and thus can be assured your data is safe. The discussion of whether or not to use 2FA is completely separate from that.
I've used Google Authenticator to secure my Google account for a long time. When Google rolled out the advanced security option, I signed up as soon as I had FIDO keys in my possession. Why? Because your email is the gateway to everything else. Someone who gets access to your email can then get access to other accounts tied to that email address simply by going to the website and hitting "reset my password". Your concern should be making sure that someone can NOT accomplish that by having the ability to hack your shit remotely, and that's where 2FA can really help you.
Not so, they need to get past a password *and a key file*. Keepass stores it all locally, and (optionally) requires a file to decrypt as well as password.
Can be awkward putting your keyfile somewhere secure and fetching it on mobile (unlike a PC where you can keep it on a USB drive that you remove when not using it) but it can be done if you're paranoid by storing it on the cloud or remote location, or even just obfuscating it by using an ordinary file such as a picture or music mp3 as the keyfile.
If everytime you open your DB you have to select the file (and set it to not remember the history, obviously) then you're as secure as anything, particularly if you use 1 picture out of a folder full of a thousand.
Since I cannot have a cellphone in the office, no 2FA for gmail for me.
What if he has only one head to give?
You can only behead them once. if that is what is mint by losing your head.
I'll see your senator, and I'll raise you two judges.
Two devices can stay in sync using the current date and time. If your bank couldn't figure out how to resync using that obvious mechanism I don't know what to tell you; every single authenticator app I've seen uses it.
The synchronization should be handled by the device's clock. Either your wife's phone does not work properly with such a basic feature (which is required for 2FA to work in the first place) or your bank has no idea how to properly handle 2FA security. If I were you I'd be worried about how they handle other types of security.
I'm not going to use 2 factor because I don't want Google to know my gmail address.
I'll see your senator, and I'll raise you two judges.
It doesn't make any difference if you don't own a mobile.
Just because my browser has a built-in password manager, doesn't mean I use it. I use Keepass instead, and I have no idea how Google would know that, so I wonder what the basis for their statistic is.
[A pay-as-you-go plan] is cheap, but effectively worthless for anything other than a rare quick phone call or text message
I use it for exactly that. Longer voice calls wait until I arrive at home, where we have a phone on a different plan with unlimited minutes and zero texts. Longer text conversations wait until I arrive at home or at a hotspot, where I use Internet-based text chat or email.
and if it's actually a smartphone, then it's a waste of resources altogether.
I disagree. Even without cellular data, my Android phone is no more "a waste of resources" than an iPod touch. On this 5-inch tablet, I can still access locally stored information anywhere and connect to the Internet at any hotspot.
If you carry a device for emergencies only
I carry it not only for emergencies but also for the sort of urgencies for which one would have used a payphone in previous decades. The most common is calling home to arrange a ride after the city buses have stopped running for the night or for the weekend.
Your 2FA can be via mobile phone (SMS), another email account, the Google Authenticator app (though I'd recommend Authy instead), or a pre-generated set of recovery keys you can store on your computer (or write down on a post-it and stick it to your monitor if you wish). The latter two don't require giving up any personal info, and are arguably more secure anyway.
Just because my browser has a built-in password manager, doesn't mean I use it. I use Keepass instead
You aren't using it because you are already using something else. But for 90% of the public, if a popup asks "Do you want Chrome to remember this password?", they are going to think "Sure, why not?". But if someone later asks them "Are you using a password manager?", they will say "No", because they don't even know what that is.
The concept is great, but if I accidentally left my phone at home, I'm locked out of my email.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
So getting all your email isn't a concern
Here I assume you mean someone ELSE getting my email? Honestly that is less of a concern to me than Google having more information on me, yes.
That said Google already has my phone number through lots of other means so I',m not sure I care that much. Still have not turned on two-factor because I use secure passwords (yes I know two-factor would still be better). One impediment is having to re-enter passwords across several devices after I switch over.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
So I switched them all to Google Phone number. In my google phone account I set up the SMS to echo to gmail. The gmail account also uses 2FA but these are my desktops at home and work, and one chromebook at home. So even if I lose my phone, I have my desktops to get the authentication codes.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
The head manager handles that.
"Believe me!" -- Donald Trump
With 1Password you don't have to use their cloud. You can still buy the non-subscription versions and use Dropbox. mSecure 5.5 allows wifi or cloud sync without using their cloud.
I tried Google's two factor for about six months. It was a PITA! The app would randomly stop working and when I was on another device It would make me jump through nigh infinite hoops to log me in. If the pain exceeds the user''s threshold they aren't going to use it unless they have to. I turned it off and have never tried it since. Most users have less patience than I do so 1 in 10 sounds about right.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Comment removed based on user account deletion
Pro tip: 2fa on the password manager.
It is about shifting security risks around. Using the same (or a similar) password on multiple sites versus a PW manager allowing for more secure entries per site.
In the past, I just did a MD5 of my master password and the site name and used that, but with the varying length, character, and other requirements sites have, that isn't as feasible as it used to be.
The question is... is the risk of the master password being lost greater than someone figuring out that you use a similar PW on a bunch of sites to get in? I prefer to use solid passwords with every site, so I take the PW manager risk. If someone is keylogging my machine, I'm hosed anyway, and that is what 2FA is for.
Comment removed based on user account deletion
2FA has made me stop using my Google account. I previously used it for some Google groups. But now when I get an email saying that there is a new message there, I click the link to read it, and then give-up because I have to do some process that involves a text message and entering in a code. At that point I just close the window and forget about it. There are better forums out there that don't require such nonsense. I don't even know how they got my phone number in the first place - probably because I have an Android phone that uses the account.
On the other hand, I will happily use 2FA with my work VPN and my bank. There's something worth securing there. Google just set the bar too low. You want to send me a text message to confirm a comment on a YouTube video? No thanks.
People used to complain that they had to remember too many passwords to different services. So now, everyone logs into everything via Google or Facebook, which makes them 10x more vulnerable. So now we have to use 2FA to secure everything because it is such a treasure trove of data. We were better-off the old way.
Yubikey and Lastpass. Even secures my computer with the former. You can even store PGP keys if one wants to do that. For those with a mobile phone there's a NFC version as well.
With a password manager they only need to get past one password to know everything. Not just what all your passwords are, but all the websites you have passwords for.
But they would also need access to the password store file, which should only be on your computer. The main advantage of a password manager is that you can have different, complex passwords for each site, so that if one of those sites has a data breach (which you'd be assuming is more likely than having your personal computer compromised), the attackers don't get your password to a bunch of other sites.
Like Apple's, etc.?
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
For, who uses gmail for anything serious?
Just because my browser has a built-in password manager, doesn't mean I use it. I use Keepass instead, and I have no idea how Google would know that, so I wonder what the basis for their statistic is.
So Chrome doesn't necessarily use it's *built-in* password manager either. If the system provides one (e.g GNOME, KDE) then it will automatically use that; you can also configure it to use another one. I believe there are LastPass and KeePass extensions for Chrome to use them instead of the built-in supported ones too.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
Anyone clicking "Yes" on a "Remember the password for this Site?" prompt in Chrome, Firefox or Safari is a complete moron. Why would anyone trust Apple, Google or Mozilla with the Keys To Their Kingdom? I might have trusted Mozilla with them a decade ago, but not any more.
If you use your gmail account as the primary account on all of your other sites, you are trusting Google with the Keys to Your Kingdom. Substitute whatever email service provider you use, because anyone who controls your email can almost certainly reset the password on any other account you have, unless that other account has some 2FA of its own. Security questions are weak in general, but even weaker against someone who has all your email and can mine it for answers.
Also... you're apparently saying that you trust Google, Mozilla or Apple enough to type your passwords into their browsers but not enough to use their password storage solutions. Does that make any sense at all? The only way it makes sense is if you assume that they're not competent to properly secure the password database (which is fairly easy), but are competent enough to get the rest of the security right (which is very hard). It clearly makes no sense if you assume they might be maliciously interested in stealing your passwords, because you're typing your passwords into their browser.
And, FWIW, if you set a sufficiently-long sync password on Chrome, Google has no access to the passwords that Chrome stores for you. Yes, they all get uploaded to Google, so they can be synced between Chrome instances on different machines, but they're all encrypted with your sync password.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Those numbers are completely absurd. Chrome + Safari alone is 70% of the browser market, and those both have built-in password managers.
So 58% of computer users don't know that they're already using a password manager.
Really?
TFA isn't talking about Password Managers but about 2-Factor Auth which is entirely different from using a Password Manager. A Password Manager is only good for storing one of the two factors; the second factor is dynamic and comes via YubiKey, soft-key (GAuthenticator), SMS/TXT, etc.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
My /. password hardly constitutes a kingdom. Honestly, I don't give a crap if Google has it. And neither does Google.
Android Apps and Third-Party Auth Integrations that don't support 2FA...
Really...I enabled 2FA across my google accounts and had to disable it b/c I had too many things that didn't support the 2FA protocols. I still use the app password for Gmail though; it's still partially enabled in that respect. But until Android Apps and third-party auth integrations are forced to support it it won't go anywhere. I'd love to do so, especially using a FIDO/YubiKey solution; though again Android fails there as too many Android devices don't support the hardware tokens via USB, even with the dongles to hook them up.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
100% correct. Handing passwords over to a third party like that is retarded. KeePass is the correct solution.
The "second factor" in most cases can absolutely be put into something like KeePass if you have the plugins to work with it. It's just a seed you jam into a hashing algorithm along with the current time.
The only ones you need a third party for are those which are unknown to you (an awful idea). For example, a site sending you a one-time code (randomly generated, hopefully) via text or email. That's not 2 factor, that's 2 channel. (And SMS is a joke in terms of security, and email just verifies the person logging in has access to that email, there's not actual check that they are the person they claim to be.)
Multi-factor authentication traditionally relies on 3 things. Something you are (a fat, ugly slob), something you have (the worst BO of all time) and something you know (a password). In the real world this works just fine. The guard at your workplace knows you, asks to see your badge, and you put in you password into whatever terminal. There is active verification of these 3 different types of criteria. On the internet, they try to ape that security but in the end it's all "something you know". Whether that's the password, the seed for somsone's password-generating clock, their phone number to pull the SMS down, a hash of their retina/fingerprint/anus/etc. it doesn't matter.
It's one point to attack/corrupt/infiltrate.
So I'm leery of using a password manager.
Instead I have really long algorithmic passwords.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
My keyfile is the a specific string of text (with no returns to avoid the /n/r and /n text file differences between Windows and *nix). That way I can't lose it unless I forget that string of text, and I can easily remake it if need be from any text editor.
2FA is more secure, but annoying. Massively annoying if you log into several 2FA secured accounts over the day. I'm accepting it for online banking and similarily important business, but not for my throwaway gmail accounts.
Clef was 2FA done right, and I have high hopes for SQRL, but it seems slow in coming out with actual clients that normal people can use.
As long as the usability factor for 2FA is somewhere between annoying and hostile, it won't see more adoption.
Assorted stuff I do sometimes: Lemuria.org
If my bank asked me to use two factor authentication, I would consider it, as my bank account needs to be secure. But for google, why? It's fluff, I could lose the account tomorrow and not much would happen. I don't have it linked to any credit card numbers, identification numbers, etc.
So why are fluffy social media sites and games encouraging this, but important stuff that need security is not?
Anyway, two factor means I have to have my phone all the time, and if I lose or sell it I am going to have a major hassle trying to get back into my account. I don't want Google of all people to have this information sort of information.
I had to train my mom not to do this. She lost her Firefox profile e and could not remember any of her passwords, and important the profile from an old computer wasn't working. She wrote them down in a file but in a really jumbled up manner that I couldn't make sense of. I eventually figured out how to decode the profile that had the passwords. But until then we had no access to the ISP and I was ready to go and beg with them over the phone or in person to reset the password.
I just checked, and the text is indeed out of date. I was able to set up 2FA for my account by using a Samsung Galaxy Tab A 8" (an Android tablet with Google Play) as my second factor instead of a cell phone.
Twitter has some catching up to do.
competent to properly secure the password database (which is fairly easy),
If they are competent, then they must be unwilling to secure it. In 2018, this worked for my experimental chrome browser , latest from Google at the time :
https://it.slashdot.org/story/...
Creative uses of Spectre (and Meltdown or something like it as an additional help) can make it even more "fairly easy" to steal the passwords.
Bingo Dictionary - Pragmatist, n. A myopic idealist.
The passwords are kept in local encrypted storage...at least that is what the password manager is supposed to do. Not sure how the Google account syncing goes. Remembering passwords is fine, autofilling in passwords is a major security issue and this is why reputable browsers turned that off. There is some inconvenience, but looking up the password in the password manager is not that difficult.
Two factor authentication often means getting a text message and that requires typically a cell phone that comes with more or less significant cost. Sure, I have one, almost everyone has one, but I rarely use it and pulling it out just to fish for a one time key so that I can download my spam emails is highly inconvenient. It also defies any attempt in automation. I have my emails downloaded from the server every two hours. The volume is so large that I otherwise would clog up the various email accounts I deal with. I'd go for two factor if the second factor is a hardware dongle that authorizes a system to download emails. And yes, I do not use the slow, ad laden and clunky web portals of email providers. There you have it, other users may have different reasons.
competent to properly secure the password database (which is fairly easy),
If they are competent, then they must be unwilling to secure it. In 2018, this worked for my experimental chrome browser , latest from Google at the time : https://it.slashdot.org/story/...
Meh. It's no surprise that browsers don't yet mitigate a barely-published attack, particularly since it's arguably not an attack at all. The browser is doing the right thing and filling username and password fields for the site that it's supposed to. The site developer is the one including hidden forms that send that data to the wrong place. Bad/buggy web sites can do all kinds of nasty things with/to the data you give to those sites. The only difference here is that the site developer doesn't realize he's added this particular nastiness, but he did make the decision to use a shady tracking service.
Creative uses of Spectre (and Meltdown or something like it as an additional help) can make it even more "fairly easy" to steal the passwords.
Again, not an issue with having a password database in your browser. An issue with entering passwords in your browser at all, of course (or potentially in any program on your computer), but not a reason to prefer typing passwords over using the browser's password keeper.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I don't bother because my Gmail account is my throw-away account. It's the email I give out if I absolutely HAVE to, to sign up for some web site or something. I also know I have a fairly ("asdfasdf") password on it because I DON'T CARE. Things I do care about are under a different email, with strong passwords and TFA .
Yup. Blaming the attacker completely absolves the maker of vulnerable software. What else can I expect from Google employees?
Bingo Dictionary - Pragmatist, n. A myopic idealist.
I started using 2FA recently, before that unique passwords & pw manager. I've never been bitten by security problems, but I'm relatively low profile.
Working with u2f (yubikey) and totp (google authenticator) has been a bit annoying. Most sites don't support u2f, or even 2FA in general. The ones I want to have 2FA, like my bank, do not or they implement it through sms/email. Some sites, like Facebook, have issues with multiple u2f tokens (ie. second and subsequent tokens do not work). It requires extra effort to get gmail working in external clients with saved device trust instead of 2FA as well.
Actually using u2f has been nice though, even with chrome on android via nfc. Once things are set up on a site, it's very reliable.
Yup. Blaming the attacker completely absolves the maker of vulnerable software. What else can I expect from Google employees?
Umm, you need to re-read the post you're replying to. Nowhere did I blame the attacker.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Site developer
Bingo Dictionary - Pragmatist, n. A myopic idealist.
Site developer
Yes. Not the attacker, the site developer who chose give your password to his site to an tracking company. He could have chosen to do it directly, instead he just included their content and scripts on his site, from his domain, essentially enabling them to do an XSS attack on his site without needing the "XS" part.
In general, there's very little browsers can do to prevent XSS if site developers don't build their sites correctly. What we have here is a case where site developers may have done a decent job of preventing general XSS attacks, then gave a specific attacker special privileges. In this particular case, there may be some things that browsers can do about it, now that researchers have pointed out the issue. However, that won't actually fix the general case, because sites allow these tracking networks to inject Javascript as well. If the tracking companies wanted to, they could inject Javascript that collects your username and password from the visible fields, when you type them.
The only real solution is for site developers to be careful about whose content/code they inject in their sites. When they contract with an analytics company, they should ensure that the contract contains a commitment not to snarf extra data.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
The
site developer "chose give your password to his site to an tracking
company" , which was given to the site developer by the browser. The
user did not give the password to the site developer via the browser.
User gave the password to another site developer, but also made the
mistake of storing it in the browser. So the browser went ahead and gave
the password to this "malicious" site developer.
It is extremely dishonest of you to mention " tracking company ". Any
use can be made of the " stolen " password, not just tracking.
Bingo Dictionary - Pragmatist, n. A myopic idealist.
Who uses a web based email server and expects security? Even back in the 90s people knew better than rely on Hotmail, Yahoo, and Gmail. I don't bother with high security on gmail as it is my throw away spamertizer catcher address used to sign onto web pages that require a valid email to read their articles.
NRRPT/RCT
The site developer "chose give your password to his site to an tracking company" , which was given to the site developer by the browser. The user did not give the password to the site developer via the browser.
By "site developer" I mean the author of the site the user visited. So, yes, the user did give the password to the site developer; the user has to do that to log in.
It is extremely dishonest of you to mention " tracking company ".
Huh? I'm beginning to think you don't understand the issue that you cited.
Let me be very clear, with an example. Let's use slashdot. Suppose that slashdot made an agreement with one of the tracking services, say AdThink, that has been found to be exploiting this "vulnerability". AdThink gives some value to slashdot, and slashdot includes AdThink's content and supporting JavaScript in the content delivered on the slashdot home page.
Now, you, the user, have your browser remember your slashdot login. The browser watches for username/password forms from the slashdot.org domain, and when it sees some, it fills them in with your values. It does not click "Submit" for you, you have to do that yourself. AdThink wants your slashdot login information, so in the content that it gives to the slashdot devs to inject in to the home page, it includes a hidden form which has a username and password field. Note that developers who build the slashdot site not only allowed this, they actively worked to serve up AdThink's malicious code. AdThink also includes a bit of Javascript that detects when data is entered on the hidden form and submits it. Because all of the Javascript and hidden content was served from slashdot.org, the same-domain policy doesn't prevent any of this, even though the target of the form is an AdThink server, not a slashdot.org server.
The key point here is that it's slashdot who provided all of the malicious HTML and JS to your browser. Your browser has no reason to distrust this content any more than the password entry form that you type stuff into yourself.
Make sense?
With that understanding, it should also be clear that AdThink doesn't even need password auto-filling to do this. They could also inject some Javascript that hooks in the the events that are generated when you manually type in your username and password, and it could generate a call back to the AdThink server providing your data then, too.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
You have no clue about the issue I cited.
Slashdot is the original site to which the user supplied the password. And the user made the mistake of saving it in the browser. No decision on the part of Slashdot is now required. The user, independently of Slashdot , 2 days later, now goes to a COMPLETELY different site. Read :
To start, we'll need you to save some test credentials using the form below. On a later page, we'll demonstrate how a third-party script can retrieve these saved credentials. Note that the third party does not need to be present when the credenitals are saved, and that none are present on this page.
The new , third party, site is a malicious site. The developer of which is an attacker. Whom you are blaming in trying to unsuccessfully defend the vulnerable software. Which is the browser. Specifically the password manager part of the browser.
Bingo Dictionary - Pragmatist, n. A myopic idealist.
So?
How much does Google pay for your soul ?
If Google is sending the likes of you to defend the password managers of
all browsers, some not even developed by Google, I suspect Google is exploiting this vulnerability.
Bingo Dictionary - Pragmatist, n. A myopic idealist.
I could dig in and explain in more detail why you're wrong, but I'm not interested in educating assholes. I ignored your first few jibes, but I'm done now. You can feel free to think what you like about me -- you will anyway. And Google has nothing to do with my posts on /., except to officially discourage me from making them (but not enough to actually tell me that I must stop).
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Yes, you have completely misunderstood the vulnerability, and looked like a complete idiot so far to spare my feelings.
BTW I interact with the likes of you only because the world is a better place with someone taking on your lies.
Bingo Dictionary - Pragmatist, n. A myopic idealist.