autofilling invisible forms as tracking technique - mitigation Topic is solved

Support and discussions for the x86/x64 Linux version of Pale Moon.

Moderators: trava90, satrow

Lew Rockwell Fan
Moonbather
Moonbather
Posts: 58
Joined: Wed, 14 Jun 2017, 15:20

autofilling invisible forms as tracking technique - mitigation

Postby Lew Rockwell Fan » Sun, 01 Apr 2018, 19:53

The sky is not falling, and the demo for this malware (or whatever you want to call it) didn't work (which is good) with the PM on the system I'm presently booted on, but at the very least, this problem is interesting. It is (or at least was as of 3 months ago), a devious tracking technique with potential to harvest some usernames & passwords. IF, repeat IF, I understand it correctly, the password part is probably only significant if you reuse the same password on multiple sites, but I might be wrong. It was found in the wild on about 1 site in every thousand in the username/email harvesting form, but no password harvesters were found.

Overview here:
https://www.theverge.com/2017/12/30/168 ... n-research

This article has more detail but is much harder to read because the text is off the monitor to the right, without even a bloody scroll bar, if you zoom enough to make it legible:

https://freedom-to-tinker.com/2017/12/2 ... -managers/

Demo here:
https://senglehardt.com/demo/no_boundar ... inmanager/

I'm curious as to why the demo failed for me. Has this been fixed for PM? As I understand it, it is only an issue if the browser is filling out forms automatically (and mine is). So, if nothing else, it should be possible to set up PM so it does NOT fill in form data automatically (in about:config somewhere I think?) and then use some extension to fill in forms, including passwords, on clicking a button.

I'd like to understand this better, particularly WHY the demo fails for me. Maybe I'm doing something right, & I'd like to know what it is so I can be sure not to change it.

Any insights appreciated. Thanks for reading.

User avatar
Nigaikaze
Astronaut
Astronaut
Posts: 657
Joined: Sun, 02 Feb 2014, 22:15
Location: Chicago, IL, USA

Re: autofilling invisible forms as tracking technique - mitigation

Postby Nigaikaze » Sun, 01 Apr 2018, 21:39

Lew Rockwell Fan wrote:I'm curious as to why the demo failed for me.

From the security/privacy fixes section of the release notes for Pale Moon version 27.7.0:
Disabled automatic filling in of log-in details by default to prevent potential risks of credentials being abused (e.g. for tracking) or stolen.

I believe this is exactly the type of exploit that specific security fix was designed to protect against.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 20836
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: autofilling invisible forms as tracking technique - mitigation

Postby Moonchild » Sun, 01 Apr 2018, 23:20

Nigaikaze wrote:I believe this is exactly the type of exploit that specific security fix was designed to protect against.


It is.
It's been a long-standing issue with convenience vs. exploitation -- The demo doesn't work because this is effectively mitigated by requiring user interaction now.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

Lew Rockwell Fan
Moonbather
Moonbather
Posts: 58
Joined: Wed, 14 Jun 2017, 15:20

Re: autofilling invisible forms as tracking technique - mitigation

Postby Lew Rockwell Fan » Mon, 02 Apr 2018, 00:56

Thank you, gents. Are y'all talking about
signon.autofillForms
?
By toggling that I see the difference between automatic and almost-automatic, where I have to click in the username field. But the funny thing is, the demo fails either way. And I don't have this PM tricked out yet. Only 5 extensions, 4 of which just deal with colors and fonts & the other adds about-pages to the help menu. Nothing like a script or ad blocker or cookie crumbler. Maybe it is just broken?

So the bottom line is keep signon.autofillForms set to the default of 'false' & this is not an issue, right? Or is there more to it?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 20836
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: autofilling invisible forms as tracking technique - mitigation  Topic is solved

Postby Moonchild » Mon, 02 Apr 2018, 01:56

No, there is nothing more to it.
Also, you don't need to poke at about:config for this.
See preferences -> security -> [ ] Automatically fill in log-in details
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.


Return to “Pale Moon for Linux”

Who is online

Users browsing this forum: No registered users and 7 guests