- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Mon, 11 Jul 2011 11:12:07 -0700
On Sun, Jul 10, 2011 at 3:44 AM, Alex Vincent <ajvincent at gmail.com> wrote: > On Sun, Jul 10, 2011 at 3:21 AM, Michal Zalewski <lcamtuf at coredump.cx>wrote: >> > For the last 10+ years, password inputs have been accessible from >> scripts, >> > with nary a complaint. ?If I have this code: >> >> Unfortunately, the problem is not that easy to fix: denying access to >> the field does not prevent the attacker from changing the form >> submission URL after autocompletion to achieve the same... > > > Or even simpler, changing the type attribute to something like "hidden" for > an instant. > > I hate it when I don't think things through. To be fair, we already protect <input type=file> from vaguely similar type-changing attacks. (You can't make an <input type=text>, fill it with a filename as the value, then switch to type=file and submit it to steal files from the user.) However, as noted, doing this wouldn't help in any way. The script can redirect the form submission, or just swap out the input entirely for an <input type=text> that they manually intercept clicks on and insert * for each keypress (or more deviously, set the font-family for the text input to a font where every glyph is an asterisk, and then just read out the value normally). ~TJ
Received on Monday, 11 July 2011 11:12:07 UTC