Hacker News new | ask | show | jobs
by danso 3456 days ago
Wow, this seems like such an obvious attack vector that I just assumed it was somehow mitigated (somewhere, magically, I suppose). Does it even require the user to press the Submit button, i.e. could the site's JS trigger the POST request after the event of the autofill?
2 comments
alexwebb2 3456 days ago
No need for a submit click. Presumably auto-fill triggers a change event on each affected input, but even if it didn't, an attacker could just repeatedly check for new content in the inputs. This means an optimistic solution (autofilling and then unobtrusively notifying the user what was autofilled) is not viable.
link
bsimpson 3456 days ago
I don't think it does trigger a change for exactly this reason. I tried to build a Material login page a couple years back, where the placeholder became the label when you typed. I couldn't get it to work with autofill, because I couldn't find a vector to detect when autofill had happened. Here's a related issue:

https://bugs.chromium.org/p/chromium/issues/detail?id=352527

link
tyingq 3455 days ago
It doesn't trigger a change, but you can certainly poll for non empty strings: https://jsfiddle.net/k91o1dw9/7/

Edit: That is, for the purposes of this exploit. I understand it's ugly.

link
mbrookes 3455 days ago
That's correct - this has also been a massive issue for React, and still isn't fixed in a released version. There's a fix that was merged some time ago, pending release with React 16 [1]. There's some discussion about a 3rd party effort to back-port to 15.x.

[1] https://github.com/facebook/react/issues/7211#issuecomment-2...)

link
tiglionabbit 3456 days ago
Notice that it's not checking the data with JavaScript. I was under the impression that there is already a security measure against this as far as JavaScript is concerned. The browser is already instructed to lie to JavaScript about certain details such as the :visited state of a link and any CSS rules that follow as a result of this.
link
greenhatman 3456 days ago
Even if you can't read the values with JavaScript, you can submit the form with JavaScript.

So then you'd need to prompt the users to confirm that they want to auto fill, not just notify that auto fill happened. Otherwise it may already be too late.

link
nommm-nommm 3456 days ago
Even if you couldn't read any hidden value with JS and had no way of telling if they changed (didn't try it myself) you could submit the form every 5-10 seconds or so in the background and reject it server side if a hidden field is missing.
link
tyingq 3455 days ago
You can check the data with JavaScript if you poll. Try it out: https://jsfiddle.net/k91o1dw9/7/
link
dyim 3456 days ago
Yup, you could AJAX-ily listen to the phish fields
link