- From: White, Jason J <jjwhite@ets.org>
- Date: Wed, 22 Jun 2016 20:56:05 +0000
- To: John Foliot <john.foliot@deque.com>
- CC: Richard Schwerdtfeger <richschwer@gmail.com>, Mike Cooper <cooper@w3.org>, ARIA <public-aria@w3.org>
- Message-ID: <BY2PR0701MB1990A0AA19CF79DFF4B28812AB2C0@BY2PR0701MB1990.namprd07.prod.outlook.>
From: John Foliot [mailto:john.foliot@deque.com] Sent: Wednesday, June 22, 2016 4:00 PM I think that you may have an idea there, although after spending a bit more time with this, I'm now freaked to report how truly insecure type=password is as well. 3 minutes on Google, and a few minor edits to an existing example I found illustrates how woefully insecure that input type actually is: a single line of javascript can extract the obfuscated characters from *any* input and echo them back into a second form input as clear text. Make that input hidden using aria-hidden=true, and I can watch Jason enter all of his passwords without him even being aware that I can see the values on screen. [Jason] You could even extend the exploit to generate a QR code in SVG that your mobile device could capture by taking an image of the screen (and leave out the SVG title and desc elements). None of this requires the compromised password data to be transmitted over the network, although of course for most practical purposes, attackers are likely to use the network to log the information imperceptibly to the victim. ________________________________ This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited. Thank you for your compliance. ________________________________
Received on Wednesday, 22 June 2016 20:56:37 UTC