Saturday, November 4th, 2006

Capturing users info via auto-form fill and Ajax

Category: Security

Convenience is a great thing, but sometimes the most convenient action isn’t always the best. Being able to eat mangos and bananas in the middle of winter up north is great for the consumer, but maybe not for the environment.

Form auto fill plugins and builtins offer the convenience of not having to type your darn address in ONE MORE TIME as you purchase the latest Extras DVD, but what about the downside?

On one hand people at your computer or around you could easily find out information, but what about malicious sites?

Most of the auto form fillers use the name of the input to work out what a site means. What if a random put up what looked like an innocent form, but it auto filled and tried to send over inputs with the names: cc, creditcard, credit_card, email, address, ….

They could simply:

  1. <script type="text/javascript">
  2. function capture() {
  3.         alert(document.getElementById('email').value + ':' + document.getElementById('zip').value);
  4. }
  5.  
  6. </script>
  7.  
  8. <form id="f">
  9. Email: <input type="text" id="email" name="email" onchange="capture(); return false;"/>
  10. <br />Zip: <input type="text" id="zip" name="zip" onchange="capture(); return false;"/>
  11. </form>

Instead of alert()’ing the user they would XHR the info back to their server (so you wouldn’t even know).

Fortunately most of the auto fill systems require some kind of user intervention so people couldn’t do things like have nasty content in a hidden div, so innocuous fields fill out in front of you, while personal ones also fill out hidden from you. We tried to do that via:

or:

I often accidentally fill out a form and hit TAB that causes the auto fill. I guess we should be more careful?

capture

Posted by Dion Almaer at 8:52 am
6 Comments

+++--
3.3 rating from 32 votes

6 Comments »

Comments feed TrackBack URI

This shouldn’t seem like much of a surprise. I only hope most people aren’t just realizing this very dangerous exploit. This is the very reason I do not even BEGIN to fill out a form unless I’m sure of the ACTUAL recipient.

Comment by Quasievil — November 4, 2006

Most people don’t realize this. Experts do, and web developers do, but to assume that the general population is even casually aware of these issues is assuming way too much.

Comment by Jacob — November 4, 2006

I couldn’t agree more… my “most people” comment referred to those checking this site. It’s a shame that awareness won’t take place until enough people have been duped.

Comment by Quasievil — November 4, 2006

Newsflash! Hold your horses! Web 3.0 is here! It turns out Javascript can access the contents of form fields now! Imagine the possibilities!

Comment by Garcia — November 5, 2006

Aufgepasst im Web2.0

Vor einiger Zeit hab ich in dem Artikel Sicherheit im Web2.0 vor allem auf ein paar Probleme beim Einsatz von Web2.0-Technologien in der Entwicklung hingewiesen. Viel problematischer ist aber wohl das Verständnis des Themas für den Anwender. Bei ordentl

Trackback by .: blogging augusto :. — November 9, 2006

[…] Posted by Redline Mon, 13 Nov 2006 16:00:37 GMT Most of the auto form fillers use the name of the input to work out what a site means. What if a random put up what looked like an innocent form, but it auto filled and tried to send over inputs with the names: cc, creditcard, credit_card, email, address, …. […]

Pingback by Peace Data : Capturing users info via auto-form fill and Ajax — November 13, 2006

Leave a comment

You must be logged in to post a comment.