- From: Dennis Joachimsthaler <dennis@efjot.de>
- Date: Sun, 10 Jul 2011 16:03:30 +0200
How about deleting the value if the input type is changed away from the secure password input type AND that the secure password can only be submitted to a similar URI. Am 10.07.2011, 12:44 Uhr, schrieb Alex Vincent <ajvincent at gmail.com>: > On Sun, Jul 10, 2011 at 3:21 AM, Michal Zalewski > <lcamtuf at coredump.cx>wrote: > >> > For the last 10+ years, password inputs have been accessible from >> scripts, >> > with nary a complaint. If I have this code: >> >> Unfortunately, the problem is not that easy to fix: denying access to >> the field does not prevent the attacker from changing the form >> submission URL after autocompletion to achieve the same... > > > Or even simpler, changing the type attribute to something like "hidden" > for > an instant. > > I hate it when I don't think things through. > -- Erstellt mit Operas revolution?rem E-Mail-Modul: http://www.opera.com/mail/
Received on Sunday, 10 July 2011 07:03:30 UTC