How script kiddies can hijack your browser to steal your password

By Dan Goodin Ars Technica Dec 2 2012

Be careful what you type on your computer while surfing the Web. It very well could be funneled to a script kiddie who has appropriated a handful of lines of code and inserted it into his site.

The hack has been possible for years, but two proofs of concept published this month graphically demonstrate just how easy it is for even savvy people to fall for it. Both demonstrations use JavaScript to hijack the search command found in all standard browsers. The script is activated when a user presses the ctrl+f or ⌘+f keys, causing whatever is typed after that to be sent to a server under the control of the website operator rather than to the browser’s search box.

Proofs of concept here and here show how this method could be used to trick people into divulging their password or credit card number respectively. The pages pose as lists that catalog leaked user data and invite visitors to search it to see if their information is included.

To be sure, the demos are crude. The search bars that are opened are only a rough approximation of the search bars found in Google’s Chrome browser. And of course, they look nothing like the search interfaces found in Internet Explorer, Firefox, or other browsers. But as security expert Bruce Schneier once noted, exploits only get better. There’s nothing stopping a determined attacker from improving the hacks so they present an authentic-looking box that’s customized for whatever browser and operating system an end user happens to be using. Other browser functions, such as the ctrl+s or ⌘+s save commands, could also be intercepted and replaced with a fake dialog box that instructs users to enter their administrator password.


______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More!