All the most commonly used Internet browsers are vulnerable to exploits that can force them to cough up users' personal information that can be used to hack into bank accounts or set them up for other attacks, the Black Hat 2010 conference will be told this week.
"None of the tools I will demonstrate are really difficult," says Jeremiah Grossman, CTO of WhiteHat Security who will present the briefing "Breaking browsers: Hacking Auto-Complete" at the conference.
He says his exploits can coax browsers to give up the information automatically stored by browsers in a feature called auto-complete, which is designed to make it simpler to fill out forms on Web sites that users intend to go to. This includes name, address, email address and in some cases passwords used for accessing sites such as online banking, credit card numbers and search terms that have been entered.
"It's a privacy and a security issue," he says.
Some of the information the browsers relinquish can be used to set up multi-stage attacks where the user is drawn in to giving up more information or to download malware that compromises email or bank accounts.
The surest way around the problem is to turn the auto-complete feature off, but he acknowledges that some people may prefer the convenience it offers to blocking the risk it represents.
Grossman says he had to come up with different exploits for different browsers, but that he found a way to compromise auto-complete on different versions of Internet Explorer, Safari, Chrome and Firefox. This includes Internet Explorer 6 and 7, which account for a third of the browsers used on the Internet, he says.
He says he has notified the makers of the browsers but none has told him of definite plans to fix what he describes as flaws. More than one exploit uses simulated keystrokes to start entering the user's name, and then the feature kicks in to yield more.The fact that each browser required a different exploit indicates the problems are with the software coding. "I think they could be fixed," he says.
The flaw Grossman found in Internet Explorer had been discovered independently by someone else in 2008, but so far is still unpatched, he says.