r/webdev - [Cybersecurity Lesson] Auto-complete scams. What are they? How to detect them?

TL:DR some hackers will have billing, address HTML forms hidden so that you will provide them without explicit consent. This is a live demo built by u/anttiviljami

To avoid this phishing-risk, you can turn off the autofill settings in your browser.The bug’s been known since forever but I only learned how the auto-fill works. It’s basically a guessing game based on important name tags in HTML.

However, some mischievous hackers would have off-center, or block hidden or set as none; to grab sensitive data. E.g. Phone# containers that are off center using HTML

<p style=”margin-left:-1000px”> <label for cc, phone number etc….> </p>

You can instantiate it as hidden or you can even add one in-line CSS styling that throws it out of the scope of browser. To test, style=”margin-left:-1000px” to any element/ on this page and see what happens.

Now HTML / css can be modified by javascript to hide and show elements or even instantiate them hidden

        .addEventListener("click", function() {
  document.getElementById("name").hidden = true;
  document.getElementById("address").hidden = false;
}, false);

Notice how the address will be hidden on the click of ok Agree?

<div id="cc" class="panel">
  <h1>Welcome to change.bs!</h1>
  <p>By clicking "OK" you agree to sign a petition!</p>
  <button class="button" id="okButton">OK</button>
  <p>  <label for="name">Name</label><br>  <input id="name" name="name" type="text" placeholder="Your Name"></p>
  <p style="display:none;">  <label for="address">Name</label><br>  <input id="address" name="address" type="text"></p>

In essence, it’s a Tom&Jerry. How well can hackers hide important fields using code obfuscation? You can do it with JQuery, or probably any other framework because the more layer, will mean harder detection, but this is just my speculation.

The official to autocomplete words suggested by HTML. However, each browser is a different implementation since I believe Firefox is NOT susceptible because the autocomplete mechanism is per field, not for everything.

Now question for more experienced users.

r/webdev - [Cybersecurity Lesson] Auto-complete scams. What are they? How to detect them?

I can give a Pastebin of the entire DOM-tree once I remove IID/PID?

I have had a test-proctoring website ask me for CC information in autocomplete when all they displayed were first and last name fields? Is there something more, or is that an honest mistake from sites? Because I couldn’t find anything “incriminating”, but I’m still a noob…

Source link

Write A Comment