Breaking Browsers: Hacking Auto-Complete (All Materials Available)


BlackHat was one amazing ride. Over 5,000 people attended, a conference record. I got to see a ton of friends and colleagues and was fortunate enough to meet many new and interesting people. Of course a big highlight for me was my presentation, in which roughly 800 - 1,000 people showed up. A great turn out considering the talk was up against really solid and well-known presenters like Haroon Meer, Moxie Marlinspike, Christofer Hoff, and Ivan Ristic. Aside from some projector glitches and a failed cookie eviction demo everything went smoothly. From feedback in the hallway much of the audiences pin-drop silence was due to shock given how ridiculously simple yet effective these hacks were. :)

Essentially I described how a malicious website could steal their visitors names, job title, workplace, physical address, telephone number, email addresses, usernames, passwords, search terms, social security numbers, credit card numbers, and on and on by manipulating a Web browsers HTML form auto-complete / autofill functionality. For good measure I also showed show a Web page could evict all of a users cookies thereby automatically logging users out of all their current sessions, delete tracking cookies, and so on. Lastly, with only clever bits of of javascript, these attacks impact millions of Web users cheaply via online advertising networks. Yes, a lot of fun.

My complete “Breaking Browsers: Hacking Auto-Complete” slide deck is available. I’ve put up a series of blog posts describing each of the distinct Web hacking techniques complete with proof-of-concept code, screen shots, videos, and technical explanations. Enjoy!

Other closely related Auto-Complete / AutoFill bugs: