Web Trackers Exploit Flaw in Browser Login Managers to Steal Usernames
https://www.bleepingcomputer.com/news/s ... usernames/
Web Trackers Exploit Flaw in Browser Login Managers to Steal Usernames
-
Thehandyman1957
Web Trackers Exploit Flaw in Browser Login Managers to Steal Usernames
Is this something we need to be worried about?
Web Trackers Exploit Flaw in Browser Login Managers to Steal Usernames
https://www.bleepingcomputer.com/news/s ... usernames/
Web Trackers Exploit Flaw in Browser Login Managers to Steal Usernames
https://www.bleepingcomputer.com/news/s ... usernames/
Re: Web Trackers Exploit Flaw in Browser Login Managers to Steal Usernames
It's not a flaw in the login managers. It's actually a design decision (deliberate convenience feature) that is being abused.
This approach is only possible when a third party has script access to the first-party domain, since crossorigin access needs to be set explicitly -- this means that it will only work when the site owners explicitly allow this script access, so actually stealing credentials through scripts that are not known to the website owners won't be possible. In the case of XSS, we have CSP to mitigate that.
I am however ahead of this already, because I do recognize the risk of this feature being enabled by default. See Issue #1559. I'll change the default, but will provide an easy way for users to re-enable it if they prefer the convenience of it and find having to click the user name field to be too cumbersome for their workflow.
This approach is only possible when a third party has script access to the first-party domain, since crossorigin access needs to be set explicitly -- this means that it will only work when the site owners explicitly allow this script access, so actually stealing credentials through scripts that are not known to the website owners won't be possible. In the case of XSS, we have CSP to mitigate that.
I am however ahead of this already, because I do recognize the risk of this feature being enabled by default. See Issue #1559. I'll change the default, but will provide an easy way for users to re-enable it if they prefer the convenience of it and find having to click the user name field to be too cumbersome for their workflow.
Last edited by Moonchild on 2017-12-30, 08:03, edited 2 times in total.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite