On 7 Dez., 01:02, Justin Dolske <dol...@mozilla.com> wrote: > On 12/2/10 1:58 AM, thorsten wrote: > > > The Concept: > > > Simple explanation: If the user is about to send his password to a > > page he never visited before he is warned. > > Seems like this could be easily bypassed by a phishing page that uses JS > to listen for keypress events (as the password is typed). Or even, > depending on how/when you check, simple obfuscation of the submitted value. > > Justin
Hi Justin. Thanks for your input. I was hoping for someone to join. I also fear the evil guys will try to bypass it. I already have some ideas how to prevent some tricks but I am not sure if they will prevent every possible trick out there. At the moment the extension is checking if there is a password field in a form leading to the target page. The password itself is NOT relevant. I do not even check if there is any GET/POST data in the HTTP header. What is a bit risky is: Can they hide the password entry or the form itself ? If they hack something together to hide it, can we detect this hack ? Is there another way to detect if a password has just been sent ? Is it possible to restrict keypress event listening to non- password entries only? (I work for AVIRA, an AV company and I really love bad guys doing a hell of a trick that can be detected easily. Just force them to do something obvious and stupid and you can easily catch them). Cheers Thorsten _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security