Exposing the dangers of insecure login forms
We often use an insecure internet connection to browse the web - for example using a public Wi-Fi hotspot or if our router is configured to communicate using an insecure protocol. This exposes us to Man-in-the-middle attacks, with malicious attackers trying to steal our login information, passwords etc.
There is an easy solution to this problem - when sending sensitive information a website should always use a secure protocol such as HTTPS. This way, attackers listening to the communication only see encrypted info they cannot decrypt. You know that your communication is secure when the website address starts with 'https:' and your browser displays a lock icon and additional UI cues.
While most websites implemented a secure way to send login information, their implementation is flawed, still allowing a malicious attacker to steal your login information.
In order for the secure login form to protect you, both the page that displays the login form and the page the form is being submitted to need to be HTTPS.
Many of the biggest sites on the Web have non-HTTPS pages hosting the actual login form, even if they submit the login info to an HTTPS page.
A malicious attacker can easily inject some code to the non-HTTPS page that hosts the login form, and steal your info just before it is being securely submitted.
There are several ways an attacker can try and steal your login information, like:
Here, we are discussing the last type of attack - Man-in-the-middle.