Browser Attack Using Javascript Timers
Jul/05/07 Filed in: Information Security
When visiting a site that requires you to fill out a form with your name and address, it is very common to falsify this information to avoid SPAM, phone calls, etc. For example, say you come to a site that allows you to download a file only after giving up your name, address, and phone number. You want the file, but you really could do without the sales call that will follow, as well as the likely inclusion in a million subsequent mailing lists.
So if you're like me, you fill out false information. If you're nice like me, you make it obvious, by using names like "Please, NoContact" and email addresses like "nospamplease@[site you are on].com." If you're also like me, you love the feature of your browser that auto-fills forms. So if I go to a site such as the example one, as soon as a form field with a name such as "Name" gets the focus, the whole form is happily filled out.
What a slightly devious developer can do is take advantage of this fact, and use a JavaScript timer function to grab the data and send it (via a javascript function, AJAX, or just plain submit the form) to his Web server before you have a chance to change it. Done "correctly," you'll never even know. In fact, it could be used as a mechanism to detect when users have changed the information from that which they provide under normal circumstances.
Using Internet Explorer, Firefox, and Safari I was able to demonstrate this works in multiple browsers. All you need is Javascript and the forms AutoFill feature enabled. I'm not about to post the code and let it loose to hundreds of script kiddies, but if you Contact Me and convince me you need it, I'll happily send it along.
The threat to you is very low, but I thought it was an interesting academic example of how seemingly unrelated features work together to form a weakness.
