Thursday, March 27, 2025

White Hat Educates Black Hat Crowd to Not Use Browser Auto-Complete

HomeSecurity
Sean Michael Kerner
By Sean Michael Kerner

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

LAS VEGAS — Not every speaker at the Black Hat security conference wears a black hat. Jeremiah Grossman, founder and CTO of Whitehat Security, is using the show as the venue to disclose an unresolved issued in Microsoft’s Internet Explorer browser versions 6 and 7.

In an interview with InternetNews.com at Black Hat ahead of his session titled “Hacking Auto-Complete,” Grossman said that IE 6 and 7 are both at risk.

The auto-complete function is the one that remembers information that a user enters into website forms. Grossman built proof of concept code that could enable an attacker to read the auto-complete content that may be stored in the user’s browser.

Grossman noted that IE 8 is not vulnerable to the same exploit. He added that he has not yet tested the proof of concept in the IE 9 developer preview.

Grossman said that he originally found the bug in the summer of 2009 and disclosed it to Microsoft that December. To date, there has been no patch for the flaw, though the mitigation isn’t too hard to figure out.

“Just turn off auto-complete,” Grossman said.

Cookie DoS

In addition to the IE auto-complete risk, Grossman explained that he has also developed proof of concept code that could dump all of a Web browser’s cookie information. He noted that the flaw will work on all major browsers.

The flaw takes advantage of the fact that all the major browsers have a hard limit of 3,000 total cookies. Once the browser hits the 3,000 cookie limit, older cookies are pushed out to make room for new ones.

So what Grossman’s code does is overload the browser so that it will have to flush out its cookies. Though cookies can contain personal information, the intent of Grossman’s technique is not about getting user information.

“I’m just blowing them away,” Grossman said. “I’m not reading cookies.”

He added that cookies are also often used to keep users logged into websites. By forcing the browser to flush its cookies, the code could be used to automatically force users to be logged out of site, creating a denial of service condition.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

Previous article
SAP: Private Clouds Have a Role in the Enterprise
Next article
Solid State Drives vs. Spinning Disks

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles

Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation’s focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.

Advertisers

Advertise with TechnologyAdvice on Datamation and our other data and technology-focused platforms.

Advertise with Us

Menu

Our Brands

Property of TechnologyAdvice.
© 2023 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.