The Omni Group
These forums are now read-only. Please visit our new forums to participate in discussion. A new account will be required to post in the new forums. For more info on the switch, see this post. Thank you!

Go Back   The Omni Group Forums > OmniWeb > OmniWeb General
FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
Is Password Saving in Omniweb save? Thread Tools Search this Thread Display Modes
Quote:
Originally Posted by Forrest
I guess I don't see what the problem is.
The root problem is very simple. Safari/Firefox/OW/Flock/etc will fill a webpage for you without your knowledge. This means I could have my MySpace password stolen without any interaction from me at all.

I don't really consider this a bug, more a convenience feature gone wrong.

If, otoh, I went to a MySpace page and was required to fill the information by selecting from a dropdown or using a hotkey, then at least I would know that I was providing my information, and could make the conscious decision on whether or not this was a phishing scam or not.
 
Quote:
Originally Posted by FredH
Where is the test page or pages you guys are talking about?
I created my own test page that shows how to steal Safari's passwords.

Safari (and I assume OW too) are smarter than Firefox and will not autofill input fields that are hidden using display:none; CSS. The original exploit used this CSS to hide the fields and Firefox happily filled them.

I changed the exploit to use width:0px; instead, and Safari happily filled it.

Again, the real crime here is that the forms are filled without any interaction from me. This is why it is so dangerous; not only for MySpace users but consider Blogger, Vox, or any other site that allows users to 'own' a subdomain.
 
Quote:
Originally Posted by dteare
The root problem is very simple. Safari/Firefox/OW/Flock/etc will fill a webpage for you without your knowledge.
I must still be missing something. How does it do it without my knowledge? When I first enter my l/p and hit submit, I am then aware I have given the site a l/p. I get a resulting "do you want OW to remember the password?" prompt. If I choose yes, then I know the l/p will be given to the site in the future, so I'm certainly made aware - twice - that this site can get my l/p. If I choose either of the other two options, the test fails.
 
Quote:
Originally Posted by dteare
Again, the real crime here is that the forms are filled without any interaction from me. This is why it is so dangerous; not only for MySpace users but consider Blogger, Vox, or any other site that allows users to 'own' a subdomain.
OW treats each subdomain differently, so I don't see how that's an issue here either.
 
Quote:
Originally Posted by Forrest
I guess I don't see what the problem is. According to the Heise test:
Due to a lack of checking, a second, evil page on the same server could steal those saved passwords.
The problem are sites where users can build their own pages with html—apparently that's the case for myspace, and I guess for ebay, too, and probably many others.

If a user puts a form on his page that resembles the login form of the site, all browsers I know except Opera will fill in the corresponding information (in Opera it's only filled in (and sent) if you press Crtl-Return). If the user presses the "Submit" button, the information will be sent to the "evil user's" server. And if the site also allows Javascript, pressing the submit button isn't even necessary. (I guess, at least—i've never used Javascript myself, but I guess it's possible to read what has been filled into forms and send it to another server.)

Last edited by zottel; 2006-12-02 at 02:43 PM..
 
Ahhh, ok. I get it now. Thanks.
 
I could be wrong but I think myspace uses different sub-domains for logging in and profiles so hopefully there is another level of security there (a password saved for login.myspace.com wont get autofilled on profiles.myspace.com) or whatever. Forrest already mentioned that.

What I thought I would add is that while this isn't optimal you can set the keychain to automatically re-lock after use. This would mean that you'd get prompted for your keychain password every time OmniWeb tries to grab a password. Other apps would do the same unfortunately though.

There is also access control for individual passwords. So I think you can go in and make the keychain request your keychain password every time OmniWeb tries to access your ebay password for instance. I haven't really played with it myself but that should work.
 
 


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads
Thread Thread Starter Forum Replies Last Post
Password save for Safari does not work makesense Forums Feedback 0 2010-11-27 03:44 AM
Save password after login, not before mockman OmniWeb Feature Requests 3 2010-04-15 09:06 PM
Save this password? Never is a no-op Ward OmniWeb Bug Reports 3 2008-07-28 02:10 PM
Saving username and password sepandee OmniWeb General 1 2007-10-08 09:52 AM
How do you change setting to save password for website? jashugan OmniWeb General 2 2006-05-17 11:38 AM


All times are GMT -8. The time now is 01:14 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2020, vBulletin Solutions, Inc.