BLOG

I know your customers' passwords

Go to your ESP customer login page and use “View Source” to look at the HTML (under “Page” on Internet Explorer, “Tools->Web Developer” on Firefox, and “View” on Safari).
Go on, I’ll wait.
Search for the word autocomplete. If it says something like autocomplete=”off” then your web developers have already thought about this security issue. If it doesn’t, then you might have a serious security problem.
What’s going on here? You’ve probably noticed that when you’re filling in a web form your browser will often offer to fill in data for you once you start typing. This feature is supported by most modern browsers and it’s very convenient for users – but it works by recording the contents of the form in the browser, including the username and password.
As a bad guy that’s very interesting data. I can take some off-the-shelf malware and configure it with the URLs of a bunch of ESP login pages. Then I just need to get that malware installed on your customers desktops somehow. A targeted web drive-by malware attack, maybe based on targeted hostile banner ads is one approach, but sending email to people likely to be ESP customers is probably more effective. Maybe I’ll use hostile email that infects the machine automatically, or – most likely – I’ll use a phishing attack, sending a plausible looking email with an attachment I’m hoping recipients will open.
Once the malware is installed it can rummage through the users browser files, looking for any data that matches the list of login pages I gave it. I just need to sit back and wait for the malware to phone home and give me a nicely packaged list of ESPs, usernames and passwords. Then I can steal that customer’s email lists and send my next phishing run through that ESP.
This isn’t a new issue – it’s been discussed since browsers started implementing autocompletion over a decade ago, and it’s been a best practice to include autocomplete=”off” for password fields or login forms for years.
How serious a risk is this for ESPs? Well, I looked at the customer login pages at several ESPs that have a history of being compromised and none of them are using autocomplete=”off”. I looked at several that haven’t been compromised that I know of, and they’re all using either autocomplete=”off” or a complex (and reasonably secure-looking) javascript approach to login. Correlation isn’t causation, but it’s fairly strong circumstantial evidence.
ESPs should fix this hole if they haven’t already. If any customers are upset about having to actually type in their password (really?) they can take a look at secure password management tools (e.g. 1Password, LastPass or KeePass).
Thanks to Tim at Silverpop for reminding me that this is a serious security hole that many ESPs haven’t plugged yet and pointing me at some of these resources.
More on passwords and application security tomorrow.

7 comments

  1. Jorge says

    Thanks for the advice Laura. As useful as usual!

  2. John Sewell says

    Seriously ?
    So a malware can’t steal sessions for example ? Also, most malwares just use the good old keylogger as it’s easier than to peek inside the browser’s password, making your solution more dangerous…
    Also, the password field is not easy to read as it was in windows 98.
    Maybe it would be better to think about machine identification -as google do with it’s double auth process- than to worries peoples about a non problem ?

  3. anonymous says

    Correlation isn’t causation… (you said it, not me)
    Every browser gives the user the choice of saving passwords or not. It’s up to each user to decide what type of risk they want to take and how they want to manage access to their accounts. Explicitly not allowing the user to save a password means they are going to create weak, easily guessable passwords. When dealing with security you have to look at the entire risk scenario and in this case I think you missed the mark dramatically.
    http://lifehacker.com/5785420/the-only-secure-password-is-the-one-you-cant-remember
    I fully support the usage of 1Password and other tools as I use them myself, but forcing them upon users doesn’t solve the security issue since if someone is able to get malware on a machine they can target just about anything. If someone can get malware installed on a client machine it’s trivial to capture a password regardless of the password solution they are using to store them.
    http://www.symantec.com/connect/articles/introduction-spyware-keyloggers

  4. Catherine Jefferson says

    Not Laura, Jorge. Steve. 🙂 Definitely useful, though!

  5. Get a helmet – Word to the Wise says

    […] been a lot of interesting reaction to Steve’s security post yesterday. A lot of people seem upset that we have pointed out one of the ways that ESPs may be getting […]

  6. steve says

    I think that the bad guys are probably very thankful for people who are too lazy to add the 19 characters to their login page that will eliminate a trivial (and actively exploited) way of harvesting their customers login credentials. There being other security issues to consider doesn’t mean you should ignore this one.

  7. JOey says

    I’de be happy to know your opinion about what is saying anonymous.
    Steve should understand that it’s not about laziness, as adding 19 characters doesn’t take time. But it might cost you a lot, as your userfriendliness vanishes!!

Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.