The sky is not falling, and the demo for this malware (or whatever you want to call it) didn't work (which is good) with the PM on the system I'm presently booted on, but at the very least, this problem is interesting. It is (or at least was as of 3 months ago), a devious tracking technique with potential to harvest some usernames & passwords. IF, repeat IF, I understand it correctly, the password part is probably only significant if you reuse the same password on multiple sites, but I might be wrong. It was found in the wild on about 1 site in every thousand in the username/email harvesting form, but no password harvesters were found.
Overview here:
https://www.theverge.com/2017/12/30/168 ... n-research
This article has more detail but is much harder to read because the text is off the monitor to the right, without even a bloody scroll bar, if you zoom enough to make it legible:
https://freedom-to-tinker.com/2017/12/2 ... -managers/
Demo here:
https://senglehardt.com/demo/no_boundar ... inmanager/
I'm curious as to why the demo failed for me. Has this been fixed for PM? As I understand it, it is only an issue if the browser is filling out forms automatically (and mine is). So, if nothing else, it should be possible to set up PM so it does NOT fill in form data automatically (in about:config somewhere I think?) and then use some extension to fill in forms, including passwords, on clicking a button.
I'd like to understand this better, particularly WHY the demo fails for me. Maybe I'm doing something right, & I'd like to know what it is so I can be sure not to change it.
Any insights appreciated. Thanks for reading.
autofilling invisible forms as tracking technique - mitigation Topic is solved
Moderator: trava90
Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
-
- Board Warrior
- Posts: 1322
- Joined: 2014-02-02, 22:15
- Location: Chicagoland
Re: autofilling invisible forms as tracking technique - mitigation
From the security/privacy fixes section of the release notes for Pale Moon version 27.7.0:Lew Rockwell Fan wrote:I'm curious as to why the demo failed for me.
I believe this is exactly the type of exploit that specific security fix was designed to protect against.Disabled automatic filling in of log-in details by default to prevent potential risks of credentials being abused (e.g. for tracking) or stolen.
Nichi nichi kore ko jitsu = Every day is a good day.
-
- Pale Moon guru
- Posts: 35648
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: autofilling invisible forms as tracking technique - mitigation
It is.Nigaikaze wrote:I believe this is exactly the type of exploit that specific security fix was designed to protect against.
It's been a long-standing issue with convenience vs. exploitation -- The demo doesn't work because this is effectively mitigated by requiring user interaction now.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: autofilling invisible forms as tracking technique - mitigation
Thank you, gents. Are y'all talking about
signon.autofillForms
?
By toggling that I see the difference between automatic and almost-automatic, where I have to click in the username field. But the funny thing is, the demo fails either way. And I don't have this PM tricked out yet. Only 5 extensions, 4 of which just deal with colors and fonts & the other adds about-pages to the help menu. Nothing like a script or ad blocker or cookie crumbler. Maybe it is just broken?
So the bottom line is keep signon.autofillForms set to the default of 'false' & this is not an issue, right? Or is there more to it?
signon.autofillForms
?
By toggling that I see the difference between automatic and almost-automatic, where I have to click in the username field. But the funny thing is, the demo fails either way. And I don't have this PM tricked out yet. Only 5 extensions, 4 of which just deal with colors and fonts & the other adds about-pages to the help menu. Nothing like a script or ad blocker or cookie crumbler. Maybe it is just broken?
So the bottom line is keep signon.autofillForms set to the default of 'false' & this is not an issue, right? Or is there more to it?
-
- Pale Moon guru
- Posts: 35648
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: autofilling invisible forms as tracking technique - mitigation
No, there is nothing more to it.
Also, you don't need to poke at about:config for this.
See preferences -> security -> [ ] Automatically fill in log-in details
Also, you don't need to poke at about:config for this.
See preferences -> security -> [ ] Automatically fill in log-in details
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite