[dteare]

Quote:

Originally Posted by Forrest

I guess I don't see what the problem is.

The root problem is very simple. Safari/Firefox/OW/Flock/etc will fill a webpage for you without your knowledge. This means I could have my MySpace password stolen without any interaction from me at all.

I don't really consider this a bug, more a convenience feature gone wrong.

If, otoh, I went to a MySpace page and was required to fill the information by selecting from a dropdown or using a hotkey, then at least I would know that I was providing my information, and could make the conscious decision on whether or not this was a phishing scam or not.

[dteare]

Quote:

Originally Posted by FredH

Where is the test page or pages you guys are talking about?

I created my own test page that shows how to steal Safari's passwords.

Safari (and I assume OW too) are smarter than Firefox and will not autofill input fields that are hidden using display:none; CSS. The original exploit used this CSS to hide the fields and Firefox happily filled them.

I changed the exploit to use width:0px; instead, and Safari happily filled it.

Again, the real crime here is that the forms are filled without any interaction from me. This is why it is so dangerous; not only for MySpace users but consider Blogger, Vox, or any other site that allows users to 'own' a subdomain.

[Forrest]

Quote:

Originally Posted by dteare

The root problem is very simple. Safari/Firefox/OW/Flock/etc will fill a webpage for you without your knowledge.

I must still be missing something. How does it do it without my knowledge? When I first enter my l/p and hit submit, I am then aware I have given the site a l/p. I get a resulting "do you want OW to remember the password?" prompt. If I choose yes, then I know the l/p will be given to the site in the future, so I'm certainly made aware - twice - that this site can get my l/p. If I choose either of the other two options, the test fails.

[Forrest]

Quote:

Originally Posted by dteare

Again, the real crime here is that the forms are filled without any interaction from me. This is why it is so dangerous; not only for MySpace users but consider Blogger, Vox, or any other site that allows users to 'own' a subdomain.

OW treats each subdomain differently, so I don't see how that's an issue here either.

[zottel]

Quote:

Originally Posted by Forrest

I guess I don't see what the problem is. According to the Heise test:
Due to a lack of checking, a second, evil page on the same server could steal those saved passwords.

The problem are sites where users can build their own pages with html—apparently that's the case for myspace, and I guess for ebay, too, and probably many others.

If a user puts a form on his page that resembles the login form of the site, all browsers I know except Opera will fill in the corresponding information (in Opera it's only filled in (and sent) if you press Crtl-Return). If the user presses the "Submit" button, the information will be sent to the "evil user's" server. And if the site also allows Javascript, pressing the submit button isn't even necessary. (I guess, at least—i've never used Javascript myself, but I guess it's possible to read what has been filled into forms and send it to another server.)

[Forrest]

Ahhh, ok. I get it now. Thanks.

[troyb]

I could be wrong but I think myspace uses different sub-domains for logging in and profiles so hopefully there is another level of security there (a password saved for login.myspace.com wont get autofilled on profiles.myspace.com) or whatever. Forrest already mentioned that.

What I thought I would add is that while this isn't optimal you can set the keychain to automatically re-lock after use. This would mean that you'd get prompted for your keychain password every time OmniWeb tries to grab a password. Other apps would do the same unfortunately though.

There is also access control for individual passwords. So I think you can go in and make the keychain request your keychain password every time OmniWeb tries to access your ebay password for instance. I haven't really played with it myself but that should work.