Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Hendrix] Autofill for username/password makes password stealing easier
11 views
Skip to first unread message
Erlend Oftedal
Nov 6, 2006, 4:44:28 AM11/6/06
to
Name: Erlend Oftedal
Email: erlend_at_oftedal.no
Product: Firefox
Summary: Autofill for username/password makes password stealing easier
Email: erlend_at_oftedal.no
Product: Firefox
Summary: Autofill for username/password makes password stealing easier
Comments:
Hello
Thank you for a great product.
I think though that the autofill when only one username/password combo
exists in the password-"database", should be optional (checkbox) or
turned off. The reason for this, is security and I'll explain how:
If a site is XSS-exploitable, the user's session might be stolen. But if
the user has autofill, this may be exploited to actually steal the users
username/password combo. I've created a test page, showing this on:
http://www.oftedal.no/~erlend/test/
I wanted to send this to you guys instead of sending it to the masses.
Best regards
Erlend Oftedal
Browser Details: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
0 new messages