Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity

    Test Finds Google Chrome, Apple Safari Weakest in Browser Password Management

    By
    Brian Prince
    -
    December 15, 2008
    Share
    Facebook
    Twitter
    Linkedin

      A test by IT consulting company Chapin Information Services has turned attention toward what is perhaps an undervalued element of browser security-password management.

      The company took a look at all the major browsers: Internet Explorer 7, Opera 9.62, Firefox 3.04, Safari 3.2 and Google Chrome. According to the study, each browser was susceptible to a number of vulnerabilities that could expose password information. Of the five, Opera Software‘s Opera and Mozilla Firefox fared the best-meaning they passed seven of the 21 tests. Internet Explorer passed five tests, while Google Chrome and Apple Safari passed only two.

      Three issues were cited by CIS as being problems that, when combined, could allow cyber-thieves to steal passwords without a user’s knowledge. The first two are whether the browsers check the destination where passwords are sent and the locations where they are requested.

      According to CIS, none of the browsers’ password managers checked the action path when passwords were retrieved or saved. In addition, only Opera and Firefox prevent the browsers’ password manager from delivering a password to a domain other than the one to which the password was delivered when it was saved.

      “Intuitively, this is something that should happen all the time,” said Robert Chapin, president of CIS. “If I go to Google.com and I save a password there, and the next day I go to log in again, if Google is telling my browser to send my password to [the] Yahoo Web site, most of these browsers … couldn’t care less where that password is being sent to.”

      All this matters, Chapin said, because if there is a Web site that is either compromised or that intentionally allows users to inject their own HTML, users are vulnerable to having their information stolen. However, Ian Fette, a security project manager at Google, correctly pointed out that users in those scenarios would be vulnerable to a number of different attacks.

      Other Password Security Issues

      “The claimed vulnerability here is that if you don’t check the action authority you might be sending the password to the wrong site, so the attacker would change the action authority to point toward his own site or some other questionable site to steal your password,” Fette said. “If the attacker can actually change the form on the Web page, there is a ton of other things that he could do to get your password.”

      In addition, Fette countered that adding such a feature could cause usability problems.

      “It might be the case that you have a Web site that’s either a banking Web site or a big commerce Web site with a lot of back-end servers, so they might not always use the same domain name,” he said. “It might not always be ‘mystore.com’-it might be server1.mystore.com … if you put in a check that says the action domain has to be the exact same, then if they ever change their Web site or [are] using some load balancing scheme where they’re sometimes [using] different domains, they would then fail that check.”

      Chapin argued that the fact that Firefox addresses this issue means it can work.

      “The example of mystore.com vs. server1.mystore.com is invalid when the discussion is about gmail.com versus hotmail.com,” Chapin said. “Every browser can make that distinction because it is already a common feature of JavaScript’s ‘same-origin policy.’ The only real corner case is when mystore.com decides their domain authentication system is going to involve multiple DNS names like login1.mystore.com, login2.mystore.com, etc. There are any number of ways to resolve that case gracefully, but the way Google Chrome does it is by allowing the credentials from any domain to be submitted.”

      The third critical issue is whether the password manager delivers a password using a form that is not visible. If an attacker can put an invisible password form on the page and count on the password manager to fill in the form, it is possible to steal a user’s password without the user ever knowing, Chapin explained.

      “Firefox and Google Chrome don’t pay any attention to that whatsoever,” he said. “In their Document Object Model, if they find a password field, all bets are off-the password manager gets activated and it sticks a password in there.”

      Only Opera and IE required user interaction before a password was retrieved and filled in. Safari required explicit user interaction for passwords to be saved, as did IE; the others did not.

      “The password manager is not a relatively large program, but it seems like something that does not get a lot of attention during development,” Chapin said.

      Brian Prince
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×