29 comments

[ 5.0 ms ] story [ 232 ms ] thread
Why would you ever need to enter your browser into the search mechanism? I just don't get it.

If you're having this problem, I hear Common Sense 2013 is a great browser security package.

I'm not sure I understand you correctly, but the browser you are using can be ascertained with JavaScript or a server side script.
sorry, it was autocorrect, meant to type 'password' became 'browser'
Your OS/browser already identifies itself, so they know which look to fake.

The trick is to convince someone to try finding something sensitive on the page. This might be done by showing a long list of 'leaked' passwords or social-security-numbers.

Even without explicit prompting, some people might Ctrl-F search for their own, with a false confidence that a local search isn't shared with the page.

It's just social engineering, but done in a rather slick fashion. Normally one wouldn't expect that a password or credit card number or social security number would ever be typed into a search box for a web page.

Except, what if you posted a page of compromised passwords or other data? Then someone might go to that page and search for their own secret information, to see if it had been leaked. They wouldn't even think twice about this because normally the information in a search box is secure, and known only to the browser. But if a site creates an html based search box that is hooked into ctrl-F then the user might divulge their secret information without even knowing.

That's my problem with the whole situation. The headline paints it as a technical flaw, where in reality it's human error.
(comment deleted)
It's not a flaw in the strictest sense, but it is a sort of a shortcoming. Does anybody think websites remapping your basic hotkeys is a good idea?
That's a very wrong way of thinking about the problem. It's not actually a human error except in the strictest sense. Imagine if the mechanism for flying an airplane involved a thousand different levers that all need to be carefully moved in concert in order to avoid crashing. Is crashing such an unflyable plane a "human error"?

The problem here is that browsers allow overiding ctrl-f and almost no users realize this is possible. It's not just a human problem, it's also a browser design problem. Browser makers have trained their users to trust that pressing ctrl-f will pull up a find dialog, it's as much their fault as it is user's fault.

When I posted this article, I considered changing the title because I agree that it is somewhat sensationalist and slightly misleading. I chose just to keep the actual article headline because I couldn't think of anything better at the moment. Would it have been better to change it? (I honestly don't know the HN norms)
This is a profoundly noobish description of a password theft scam. It has virtually nothing to do with 'stealing your password', or 'hijacking' at all.
I must not be understanding this correctly. The script is triggered when the user attempts to search for text on the page. When would a user search for their pw's?
I've actually seen links on hackernews that go to these big data dumps of information. Presumably, you'd check to see if your info was leaked using the browser's find mechanism. A clever enhancement is that as you type, JS on the page actually inserts whatever you're typing into the content of the page. So you won't ever just type the first few characters of your password and see it's not there, you'll always find your info or similar info on the page.

I agree that it does seem a touch unlikely to work in the real world. However, I think a scammer with a touch of ingenuity, creativity, and programming knowledge could probably construct a realistic enough scenario to fool many people.

Look at the example pages.

Because the exploit pages are lists of leaked passwords, or cc#s. So to check if their password has been leaked they would naturally search for their password.

This is just a very slick implementation of the old "enter your credit card number to see if it's been stolen" technique, except the end-users don't realize that they've given anything away.

Here's an analogy: you get a phone call from someone telling you that your bank account has been hijacked and you need to visit your local branch right away to fix it. So you drive to your bank, enter, and you go talk to a bank employee. As he sits at a computer he asks you for your bank account number, home address, and social security number. After typing them in and hitting a few buttons he tells you that your account has actually not been hijacked and you're safe, so you head home and go watch tv. Meanwhile, what actually happened is that you didn't realize that it was a bank holiday and con-men had broken into the bank and dressed up as bank employees to trick you into giving out your personal information.

(comment deleted)
Do any major browsers have a setting to disable overriding default keyboard shortcuts? It's one of those anti-features like popup windows or page transitions or custom scroll bar colors that nobody would miss if it was never invented.

There is a special place in hell for people who override PgUp/PgDown or the arrow keys in their webpages.

> There is a special place in hell for people who override [...] the arrow keys in their webpages.

Except for game developers, maps developers, in-browser document editors, presentation viewers, etc. The web isn't just hypertext any more, and part of making the browser a powerful platform is having features that could be misused.

Exactly. I'm working on something right now that wouldn't be possible without preventDefault(). Don't blame the tool, blame the people who misuse it.

    Do any major browsers have a setting to disable overriding default keyboard shortcuts
I don't know about that. When I'm using a web-based word processor or spreadsheet I want CMD+s to save the document I'm working on instead of bringing up the "Save Web Page As" dialog....
Exactly. Try using product studio team foundation server web client with Chrome.
This is interesting because it is probably more likely to affect power users. Computer illiterates wouldn't know to search. Novices would use the search menu. It's not until you hit intermediate level and higher that you are likely to see the shortcut keys being used.
Which would also be the same class of user more likely to change their password after being notified of a mass password leak.
Very interesting idea and it seems like a reasonably plausible issue. However, If you skin your Firefox browser [1], your skin also shows up in the search bar. It'd definitely be a very subtle sign of something being wrong though.

[1]: https://www.getpersonas.com/

Another reason to disable javascript by default.
I don't think i'll ever fully understand this approach. Most of the web is simply broken without javascript.
Not once have I ever, nor can think of any actual common situation where anyone would ever type their password in to a search box. Not only that but you have to be on the attackers website so they could just save your password by forcing you to log in to view or any of the hundreds of other standard ways of acquiring a password.

And if you're searching for your password on a website listing passwords and all that is going to happen is your password (without a user name and no other info other then what is in the http headers) gets added to that list, this really isn't a problem.

So many if's its hilarious: IF you go to random unprotected website AND IF that website uses this AND IF you use that hot key AND IF you search for you password to "see if it's in the list" (what value does it give you if you saw the password? none.) then the 'attacker' can save a password that isn't tied to anything. There are already password lists of common passwords, this accomplishes nothing.

..and here comes the downvotes.