I got an interesting email from an anonymous lurker who works for a big company dealing with XSS. He started seeing some weird stuff in his logs - specifically in the cookies. In looking into it he found the problem.

After changing filtering rules to catch some specific type of XSS attack, I started getting strange results in the logs. Some users had a cookie filled with many words concatenated together. Suddenly, I realized some of them were actually logins and passwords. What the hell - do we set cookies with passwords?!

Quick check in the documentation - no, there is no such cookie. Grepping the code - still nothing. So, it’s not our cookie. I started digging deeper in the subject, and found out:
http://userjs.org/scripts/browser/enhancements/ops It’s an auto-completion script for Opera, storing the data inside cookies. In current Opera version it does not store values from password inputs, but clearly in older it does, causing the browser to send plain text password with each request. Yeah, Opera is the secure browser - but the users…

Indeed… this is one of those situations where you really don’t loose any major security benefits by having this, as the only way to read it is through an XSS attack, but it certainly adds weirdness that could eventually lead to insecure things. While it’s not directly exploitable, now your usernames and passwords are on your drive in cookie form. Anyone with notepad can go and retrieve them. That may not be a problem for most people, but some people don’t trust their spouses, kid brothers or creepy uncles. This is just another situation where the security model is changed by people who aren’t directly responsible for the browser.

This entry was posted on Thursday, May 3rd, 2007 at 9:16 am and is filed under XSS, Webappsec. You can leave a response as well.