Blog: Plugging a Password Leak [by web browsers]

Plugging a Password Leak
Technology Review (12/19/08) Kremen, Rachel

Researchers from Harvard University's Center for Research on Computation and Society, the University of California, Berkeley, and Stanford University have improved the security of browser-based automatic log-in procedures. The researchers focused on password managers created with browser bookmarklets that use JavaScript to automatically log in a user to a Web site. The researchers identified a major flaw in bookmarklets in which an attack could trick bookmarklets into revealing all of a user's passwords. Bookmarklet-based password managers generally store passwords on a central server, and when a user visits one of those sites the user is automatically logged in. However, the researchers found that bookmarklets could not be trusted to know what Web site the user was actually visiting, meaning a few lines of code would be enough to trick the system into logging into a malicious site. The researchers found a solution that checks the referrer header instead of checking a browser window's location. The improved bookmarklet uses the secure socket layer (SSL) data transfer protocol to prevent the header from being easily forged. The researchers say that in the future a new browser feature called postMessage will enable browser windows to securely transfer information back and forth, providing even better security than the SSL solution.

View Full Article