JP Vossen on 10 Jan 2017 08:09:47 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Lastpass - friend of foe

Something else I haven't seen yet:

Browser Autofill Profiles Can Be Abused For Phishing Attacks
Section Department
Filed under mozilla
Author EditorDavid

An anonymous reader quotes Bleeping Computer: Browser autofill profiles are a reliable phishing vector that allow attackers to collect information from users via hidden form fields, which the browser automatically fills with preset personal information and which the user unknowingly sends to the attacker when he submits a form... Finnish web developer Viljami Kuosmanen has published a demo on GitHub... A user looking at this page will only see a Name and Email input field, along with a Submit button. Unless the user looks at the page's source code, he won't know that the form also contains six more fields named Phone, Organization, Address, Postal Code, City, and Country. If the user has an autofill profile set up in his browser, if he decides to autofill the two visible fields, the six hidden fields will be filled in as well, since they're part of the same form, even if invisible to the user's eye. Browsers that support autofill profiles are Google Chrome, Safari, and Opera. Browsers like Edge, Vivaldi, and Firefox don't support this feature, but Mozilla is currently working on a similar feature.


I don't know how LastPass or other tools work or if this applies there. But I've always been very nervous about anything that work automatically because there have been far too many browser addon compromises, especially in the Windows world thanks to all the insane/insecure "integrations" they made. Anything that can perform actions (client-side Javascript perhaps?) can make automatic systems cough up details. No, bad.

For the record, I use the Linux version of Passwordsafe which I keep locked and which requires my taking manual actions to use. I have long random passwords for most things except passwords I actually have to type now and then. It's a pain because I have to sync the data file and not corrupt it, and I'm locked to PCs that have both the data file and the client. So I can live with it, but it wouldn't work for Rich^.

At $WORK we are encouraged to use KeePass, but then they force us to use Windows too, so take that for what it's worth. Until recently they were death on anything "cloud" which I do mostly agree with, but they've been relaxing a bit and moving into that space.


PS--Is "friend *of* foe" a typo or on purpose? It works either way, just wondering. :-)
--  -------------------------------------------------------------------
JP Vossen, CISSP | |
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --