- From: Alex Vincent <ajvincent@gmail.com>
- Date: Sun, 10 Jul 2011 03:44:53 -0700
On Sun, Jul 10, 2011 at 3:21 AM, Michal Zalewski <lcamtuf at coredump.cx>wrote: > > For the last 10+ years, password inputs have been accessible from > scripts, > > with nary a complaint. If I have this code: > > Unfortunately, the problem is not that easy to fix: denying access to > the field does not prevent the attacker from changing the form > submission URL after autocompletion to achieve the same... Or even simpler, changing the type attribute to something like "hidden" for an instant. I hate it when I don't think things through. -- "The first step in confirming there is a bug in someone else's work is confirming there are no bugs in your own." -- Alexander J. Vincent, June 30, 2001
Received on Sunday, 10 July 2011 03:44:53 UTC