Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This exploit might be defeated with the following css:

input[type="password"] { background-image: none !important; }

And if the exploit uses `!important` then you just need to make your selector more specific such as putting it inside an id. If you have malicious javascript running on your page there are better ways to steal data. I feel there is low risk of coming across this problem in the wild.



Actually if you use inline style with important there is no way to override it.

I.e. <input type="password" style="background-image:none !important"/>


Although that does rely on targeting that specific attribute. There are probably a handful of ways to trigger an http request in this instance.

You don't actually even need to select that specific node - whilst you can't use :after on replaced elements, if the input has a sibling an attacker could input[type="password"] + div:after or something along those lines.

The main takeaway for me is that making a password field a controlled component is a marginal security risk in some instances, and letting people pump their own styles into sign-in pages is a bad idea.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: