autofilling invisible forms as tracking technique - mitigation Topic is solved

[Lew Rockwell Fan]

The sky is not falling, and the demo for this malware (or whatever you want to call it) didn't work (which is good) with the PM on the system I'm presently booted on, but at the very least, this problem is interesting. It is (or at least was as of 3 months ago), a devious tracking technique with potential to harvest some usernames & passwords. IF, repeat IF, I understand it correctly, the password part is probably only significant if you reuse the same password on multiple sites, but I might be wrong. It was found in the wild on about 1 site in every thousand in the username/email harvesting form, but no password harvesters were found.

Overview here:
https://www.theverge.com/2017/12/30/168 ... n-research

This article has more detail but is much harder to read because the text is off the monitor to the right, without even a bloody scroll bar, if you zoom enough to make it legible:

https://freedom-to-tinker.com/2017/12/2 ... -managers/

Demo here:
https://senglehardt.com/demo/no_boundar ... inmanager/

I'm curious as to why the demo failed for me. Has this been fixed for PM? As I understand it, it is only an issue if the browser is filling out forms automatically (and mine is). So, if nothing else, it should be possible to set up PM so it does NOT fill in form data automatically (in about:config somewhere I think?) and then use some extension to fill in forms, including passwords, on clicking a button.

I'd like to understand this better, particularly WHY the demo fails for me. Maybe I'm doing something right, & I'd like to know what it is so I can be sure not to change it.

Any insights appreciated. Thanks for reading.

[Nigaikaze]

I'm curious as to why the demo failed for me.

From the security/privacy fixes section of the release notes for Pale Moon version 27.7.0:

Disabled automatic filling in of log-in details by default to prevent potential risks of credentials being abused (e.g. for tracking) or stolen.

I believe this is exactly the type of exploit that specific security fix was designed to protect against.

[Moonchild]

I believe this is exactly the type of exploit that specific security fix was designed to protect against.

It is.
It's been a long-standing issue with convenience vs. exploitation -- The demo doesn't work because this is effectively mitigated by requiring user interaction now.

[Lew Rockwell Fan]

Thank you, gents. Are y'all talking about
signon.autofillForms
?
By toggling that I see the difference between automatic and almost-automatic, where I have to click in the username field. But the funny thing is, the demo fails either way. And I don't have this PM tricked out yet. Only 5 extensions, 4 of which just deal with colors and fonts & the other adds about-pages to the help menu. Nothing like a script or ad blocker or cookie crumbler. Maybe it is just broken?

So the bottom line is keep signon.autofillForms set to the default of 'false' & this is not an issue, right? Or is there more to it?

[Moonchild]

No, there is nothing more to it.
Also, you don't need to poke at about:config for this.
See preferences -> security -> [ ] Automatically fill in log-in details