
How script kiddies can hijack your browser to steal your password - freditup
http://arstechnica.com/security/2012/12/how-script-kiddies-can-hijack-your-browser-to-steal-your-password/
======
SoftwareMaven
This is interesting because it is probably _more_ likely to affect power
users. Computer illiterates wouldn't know to search. Novices would use the
search menu. It's not until you hit intermediate level and higher that you are
likely to see the shortcut keys being used.

~~~
modarts
Which would also be the same class of user more likely to change their
password after being notified of a mass password leak.

------
digital_surfer
I must not be understanding this correctly. The script is triggered when the
user attempts to search for text on the page. When would a user search for
their pw's?

~~~
InclinedPlane
Look at the example pages.

Because the exploit pages are lists of leaked passwords, or cc#s. So to check
if their password has been leaked they would naturally search for their
password.

This is just a very slick implementation of the old "enter your credit card
number to see if it's been stolen" technique, except the end-users don't
realize that they've given anything away.

Here's an analogy: you get a phone call from someone telling you that your
bank account has been hijacked and you need to visit your local branch right
away to fix it. So you drive to your bank, enter, and you go talk to a bank
employee. As he sits at a computer he asks you for your bank account number,
home address, and social security number. After typing them in and hitting a
few buttons he tells you that your account has actually not been hijacked and
you're safe, so you head home and go watch tv. Meanwhile, what actually
happened is that you didn't realize that it was a bank holiday and con-men had
broken into the bank and dressed up as bank employees to trick you into giving
out your personal information.

------
bcoates
Do any major browsers have a setting to disable overriding default keyboard
shortcuts? It's one of those anti-features like popup windows or page
transitions or custom scroll bar colors that nobody would miss if it was never
invented.

There is a special place in hell for people who override PgUp/PgDown or the
arrow keys in their webpages.

~~~
paulgb
> There is a special place in hell for people who override [...] the arrow
> keys in their webpages.

Except for game developers, maps developers, in-browser document editors,
presentation viewers, etc. The web isn't just hypertext any more, and part of
making the browser a powerful platform is having features that could be
misused.

~~~
artursapek
Exactly. I'm working on something right now that wouldn't be possible without
preventDefault(). Don't blame the tool, blame the people who misuse it.

------
4ydx
Another reason to disable javascript by default.

~~~
modarts
I don't think i'll ever fully understand this approach. Most of the web is
simply broken without javascript.

------
jonchang
Very interesting idea and it seems like a reasonably plausible issue. However,
If you skin your Firefox browser [1], your skin also shows up in the search
bar. It'd definitely be a very subtle sign of something being wrong though.

[1]: <https://www.getpersonas.com/>

------
hayksaakian
Why would you ever need to enter your browser into the search mechanism? I
just don't get it.

If you're having this problem, I hear Common Sense 2013 is a great browser
security package.

~~~
InclinedPlane
It's just social engineering, but done in a rather slick fashion. Normally one
wouldn't expect that a password or credit card number or social security
number would ever be typed into a search box for a web page.

Except, what if you posted a page of compromised passwords or other data? Then
someone might go to that page and search for their own secret information, to
see if it had been leaked. They wouldn't even think twice about this because
normally the information in a search box is secure, and known only to the
browser. But if a site creates an html based search box that is hooked into
ctrl-F then the user might divulge their secret information without even
knowing.

~~~
hayksaakian
That's my problem with the whole situation. The headline paints it as a
technical flaw, where in reality it's human error.

~~~
InclinedPlane
That's a very wrong way of thinking about the problem. It's not actually a
human error except in the strictest sense. Imagine if the mechanism for flying
an airplane involved a thousand different levers that all need to be carefully
moved in concert in order to avoid crashing. Is crashing such an unflyable
plane a "human error"?

The problem here is that browsers allow overiding ctrl-f and almost no users
realize this is possible. It's not just a human problem, it's also a browser
design problem. Browser makers have trained their users to trust that pressing
ctrl-f will pull up a find dialog, it's as much their fault as it is user's
fault.

