Re: Seamless iframes + CSS3 selectors = bad idea

2009/12/8 Adam Barth <w3c@adambarth.com>

> Also, what about confidential
> information written in the page, like account numbers or social
> security numbers?  I don't see why all the secrets must necessarily be
> stored in value attributes of input elements.
>

Yeah account numbers would be very easy to get and require less rules. Any
data that is realistically bruteforced with CSS rules is a target. But the
*= selector is quite dangerous because you can do a word search of values.
Me and Sirdarckcat were discussing using the start/end selectors to acquire
an email address for example. It isn't as difficult as it first seems, you
match the TLDs at the end $=.com then use a dictionary attack on the value
before the @ so ^="foo@" ^="bar@" etc then use the *= selector to find the
letters of the domain and find the anagram.

Also you could steal tokens by checking for overlapping values, so you know
the start and end, you know which characters the token doesn't contain, you
know the three character patterns it does contain. You could then jigsaw the
pieces together to form the token.

Received on Tuesday, 8 December 2009 10:02:11 UTC