Steal My Login

written by Alex Sirota

Exposing the dangers of insecure login forms

Tweet

Comments

Intro

We often use an insecure internet connection to browse the web - for example using a public Wi-Fi hotspot or if our router is configured to communicate using an insecure protocol. This exposes us to Man-in-the-middle attacks, with malicious attackers trying to steal our login information, passwords etc.

There is an easy solution to this problem - when sending sensitive information a website should always use a secure protocol such as HTTPS. This way, attackers listening to the communication only see encrypted info they cannot decrypt. You know that your communication is secure when the website address starts with 'https:' and your browser displays a lock icon and additional UI cues.

The problem

While most websites implemented a secure way to send login information, their implementation is flawed, still allowing a malicious attacker to steal your login information.

In order for the secure login form to protect you, both the page that displays the login form and the page the form is being submitted to need to be HTTPS.

Many of the biggest sites on the Web have non-HTTPS pages hosting the actual login form, even if they submit the login info to an HTTPS page.

A malicious attacker can easily inject some code to the non-HTTPS page that hosts the login form, and steal your info just before it is being securely submitted.

Demo

Check out the StealMyLogin demo. Similarly to many sites, in the demo a non-HTTPS page contains a login form that is securely submitted to an HTTPS page.

If you look at the source code of the demo page, you'll see that we injected a malicious JavaScript file stealmylogin.js into the page, just as an attacker might. This malicious code steals the login info just before its being securely submitted to the service.

Bookmarklet

Want to try this attack yourself on one of your favorite websites? Just drag the following link StealMyLogin to your browser's toolbar, navigate to a non-HTTPS page that has a login form, click on the bookmarklet to simulate an attacker injecting a malicious piece of code into the page, and proceed to login into the service.

List of offenders

This is obviously a very partial list, but it's amazing how many of the biggest sites on the Web have this significant security flaw.

• LinkedIn
• Twitter
• Facebook
• AT&T
• Netflix
• GoDaddy
• Progressive
• Tivo
• UPS

Additional background

Some assumptions:

1. There are bad people out there looking to steal your bank or credit card information, your money and your identity.
2. Many people use the same password and username in many different online services, including banks.
3. Malicious attackers will try to get your login information for any of the services you're using, which will then allow them to break into the rest.

There are several ways an attacker can try and steal your login information, like:

• Phishing - sending you an email linking to a fake site that looks like the real thing.
• Cross-site scripting (XSS) - exploiting a vulnerability in a website to inject custom JavaScript code that would then try to steal your info.
• Man-in-the-middle attack - listening to information flowing through an insecure data connection (like a malicious "free" wifi hotspot), potentially injecting malicious code into the visited websites.

Here, we are discussing the last type of attack - Man-in-the-middle.

References

• TLS and SSL in the real world

Discuss

blog comments powered by Disqus