-
August 6th, 2009, 01:37 AM
#1
Is your FF/Ie/Chrome etc saving plain txt credit card details?
Greetz.
Came across this article earlier, thought i'd post it up and share.
These instructions are for firefox, however the same principle applies to IE and Chrome, however I do not know how to access the form history from those browsers.
Download and install this add-on, it provides you with a GUI to easily access sqlite files (databases)
https://addons.mozilla.org/en-US/firefox/addon/5817
Now if you are running Windows Vista or 7 browse to C:\Users\<UserName>\AppData\Roaming\Mozilla\Firefox\Profiles\<RandomString>.default\formhistory.sqlite
In xp it is C:\Documents and Settings\<UserName>\Application Data\Mozilla\Firefox\Profiles\<RandomString>.default
Hit browse & search then the search button. Now under the field 'fieldname' type in credit or cc and pick 'contains' from the drop down menu. Hit ok.
Now if you have ever bought anything on the internet with your credit card chances are all the information is saved here, full name, visa number, expiry, and CSV number.
Another way to check is to type in the first 4 digits of your credit card into the field 'Value' and pick 'contains from the drop down menu. Once again you will find your credit card number popping up all over the place.
Now I don't think it would be very difficult at all to write a small trojan that steals these databases and uploads them, certainly a lot easier to do than setting up a keylogger that has to run for weeks. Quite an easy way to steal some ones identity.
I recommend you delete all the entries you find, or even delete the entire file if you don't want any forms being remembered.
I imagine there are hundreds of sites that have been coded poorly and will cache these details.
-
August 6th, 2009, 09:02 AM
#2
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
August 6th, 2009, 10:20 PM
#3
Wow...Opera really isnt on that list. So what is FF/Ie/ and Chrome smoking?
-
August 7th, 2009, 03:11 PM
#4
I guess that browsers that don't support autocomplete (like Opera) don't have this issue. Other than that, the issue seems to be a combination of a few things: firstly, autocomplete is turned on by default for input boxes (so in order to turn it off, you'd have to specifically include the autocomplete="off" attribute - but from what I can find, that's not valid XHTML).
Secondly, I thought that IE turns off autocomplete when it detects an https connection, so if you're having the issue described in the article, there's a problem that's bigger than just an autocomplete issue.
I recommend you delete all the entries you find, or even delete the entire file if you don't want any forms being remembered.
I haven't tried this, but I'm going to guess that IE and Firefox will just recreate the files if you delete them. If you don't want any forms being remembered, you could just, you know, turn off autocomplete?
Edit: this (http://msdn.microsoft.com/en-us/libr...86(VS.85).aspx) seems to say that autocomplete is enabled over https after all unless specifically turned off...
-
August 7th, 2009, 07:48 PM
#5
A very interesting note on FF and Ie, they both seem to have that private browsing thing. Could that possibly be an alternative?
-
August 7th, 2009, 08:26 PM
#6
Inprivate browsing mode sucks trust me..
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
August 7th, 2009, 10:57 PM
#7
Why does it suck? I don't really use it, but I can't think of a single reason why it would suck
It doesn't store form data so it's definitely an alternative.
-
August 8th, 2009, 03:24 AM
#8
I don't think that the person who wrote the article has much of a clue about browser software or the internet.
Negative is quite right. If you allow your browser to autocomplete forms and save private data for quick entry then it will do precisely that. Browsers are only as secure as you set them up to be, which will depend on your diligence and knowledge of the browser.
In FF just go into the "Privacy" settings and tell it not to save stuff and clear private data on closing. Look at the details of this and you can chose what you want it to delete, which includes passwords, cookies, form contents and the rest.
My wife does online shopping. I have just checked her machine and there is absolutely NO stored CC data.
Tools such as CCleaner also wipe this information, as well as the manual and automatic features in the browser itself.
"I imagine there are hundreds of sites that have been coded poorly and will cache these details."
Errrrrrrrrrrr.........................I don't think that secure online transaction systems work like that
Last edited by nihil; August 8th, 2009 at 09:44 AM.
Similar Threads
-
By moxnix in forum AntiOnline's General Chit Chat
Replies: 6
Last Post: May 26th, 2004, 09:41 PM
-
By w0lverine in forum The Security Tutorials Forum
Replies: 9
Last Post: February 23rd, 2004, 01:07 PM
-
By ntsa in forum The Security Tutorials Forum
Replies: 6
Last Post: June 22nd, 2002, 10:47 AM
-
By Noble Hamlet in forum AntiOnline's General Chit Chat
Replies: 1100
Last Post: March 17th, 2002, 09:38 AM
-
By KapperDog in forum Security Archives
Replies: 0
Last Post: September 5th, 2001, 06:34 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|