26

Today I was on Steam and someone sent me a link and asked me to vote for him in some online gaming league. I clicked on it and the browser told me that this could be an unsafe link so I didn't proceed further. Then I opened in another browser to see if it was a legit site.

I see that this was a domain registered today and on it there are some game related content but it looks very suspicious. What I am curios about is if I am at risk? Can they steal browser content such as bookmarks or saved passwords and cookies by just navigating to a website?

schroeder
  • 125,553
  • 55
  • 289
  • 326
sfrj
  • 409
  • 1
  • 5
  • 8
  • 3
    I would not say its impossible but it very unlikley. Browsers where made with the core ideia that every component should be isolated. Only if you download something like a keylogger.that will check every key stroke then that would be the case. But by clicking on a link I dont beleive so. – Sherlocker Oct 13 '20 at 13:09
  • unless clicking on that link **is** the act that installs the keylogger... especially if the browser delegates handling that link to a third party app, rather than showing the standard downloadable file prompt. – David Lavender Oct 14 '20 at 09:37
  • 1
    It's possible that if you proceeded further you would be able to detect what the scam was. I had one recently that was an item lotto. Once you connected your account and bid your own items, you lost them. None of the bidders were real on the site, all had fake steam ids in the network communications. – rtaft Oct 14 '20 at 13:37
  • 1
    Yeah my friend sent me the same link probably and I'm kind of an idiot and filled out the form because it looked legit (but also super sus at the same time). I have 2FA and don't repeat passwords so it's not a huge deal. They attempted to remove my 2FA from my account so yeah, the form was fake and I had to change my info. – Mkalafut Oct 14 '20 at 14:09

5 Answers5

36

If it was that easy, we wouldn't be using browsers. However, if your browser has a vulnerability, then things like this may happen.

Keep browsers up-to-date and run script blockers, like no-script, to prevent this type of attack.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 26
    No-script is probably a nuclear option here. Will it prevent malicious JavaScript? Absolutely. Will it make every other website OP visits unusable? Also absolutely. – TylerH Oct 15 '20 at 13:26
  • 4
    @TylerH No-script would have been OK advice maybe 10-15 years ago. Now it would pretty much "break the internet" (in a figurative sense) for that person. – Crazymoomin Oct 15 '20 at 14:57
  • 6
    @Crazymoomin: I use No-Script daily and have no problem. No-Script is not about preventing any JS from running, it's about preventing unauthorized JS from running. It's the white-list vs black-list approach. The key is that you will white-list JS on sites you visit often -- but leave off 3rd-party JS on those sites -- and it offers temporary activation for those sites you visit once in a while. – Matthieu M. Oct 15 '20 at 15:05
  • I guess my experience with script blockers is vastly different from others. Or maybe you have not seen a more recent implementation and their methods of improving UX. – schroeder Oct 15 '20 at 15:14
  • 3
    @schroeder Does it do something now other than disabling JavaScript everywhere? If so, perhaps they should consider updating the name to something more accurate. Though yes, I would posit that someone with a reputation score of 100k+ on Security.SE probably has vastly different browsing circumstances/security needs/threat model than most web users :-) – TylerH Oct 15 '20 at 15:21
  • 1
    @MatthieuM. You'd pretty much have to white-list every site you want to visit nowadays, whether you visit it regularly or not. So unless you only visit a handful of sites it's going to be of little use. Even disabling 3rd-party can break many websites in today's world of complex CDN's and the like, unless carefully filtered in. I think for the typical user a more sophisticated ad-blocker would work much better for them. – Crazymoomin Oct 15 '20 at 15:22
  • @Crazymoomin And yet, when visiting a site that you suspect, an extension that blocks all scripts is probably better... – schroeder Oct 15 '20 at 15:23
  • 1
    @schoreder I think in that case the better advice would be "Use no-script if you get a sketchy link, otherwise leave it off the rest of the time". Because having it on *all* the time is likely more trouble than it's worth for the majority of users. – Crazymoomin Oct 15 '20 at 15:34
  • 1
    @Crazymoomin considering what site we're on, shouldn't it be "if you get a sketchy link, and are foolish enough to open it, do so inside a burner VM"? OTOH I'm of the opinion that unless you're interested in trying to dissect a malicious site you shouldn't ever click skitchy links. – Dan Is Fiddling By Firelight Oct 15 '20 at 20:13
  • @DanIsFiddlingByFirelight You're probably right on both counts. If so, it adds to the lack of usefulness a simple JS blocker has in today's world compared to more advanced alternatives. – Crazymoomin Oct 15 '20 at 21:31
  • The plugin LibreJS would the ultimal tactical nuke for protecting yourself but it would probably break 90% of commonly used websites ;-) It basically blocks all non-trivial proprietary/obfuscated JavaScript code. – Sir Muffington Apr 04 '22 at 19:43
10

If your browser auto-fills passwords, then it is possible that add-ons/extensions/plugins can harvest your credentials even when you're not using it to log in.

Additionally, some password managers may have keyed passwords on the URL in the <form action="…"> of a site rather than the URL hosting that page, allowing an attacker to harvest credentials with a login form to the target site, perhaps rendered out of view. I'm not sure if this is still much of a risk.

See also Should web sites disable form autocomplete on all forms?

Adam Katz
  • 10,418
  • 2
  • 22
  • 48
  • 7
    that's not supposed to happen, so do you have a link to a demo or POC? – dandavis Oct 13 '20 at 14:53
  • 10
    The auto-fill is linked to the URL, so unless the malicious site can become the desired URL I don't see how that can be done. – user10216038 Oct 13 '20 at 15:38
  • Isn't it linked to the URL in the `
    ` rather than the URL of the HTML containing that form? Even if not, any plugin/extension/add-on with read access to the website could harvest it.
    – Adam Katz Oct 13 '20 at 17:07
  • 1
    @AdamKatz maybe some time ago, but I tested an external login form today for a site it knew, yet got no suggestions in chrome. In terms of extensions, nobody can protect a user from themselves, but that's not a site operator's responsibility. – dandavis Oct 13 '20 at 17:23
  • Thanks for verifying that, @dandavis. I've updated my answer. – Adam Katz Oct 13 '20 at 17:35
  • 3
    As a fairly experienced computer user, the difference between an add-on and a website is quite clear to me. But a less experienced user reading this may believe those two are more closely related than they are, and thus that they are at greater risk than they are. Note: the question asks specifically about websites. Also, the note about password managers seems like not much more than speculation about something that would be a gigantic vulnerability if it were true and thus seems unlikely to exist in any reputable password manager (non-reputable ones should be avoided either way). – NotThatGuy Oct 13 '20 at 22:36
  • regarding auto fill, this doesn't always link to sites. Maybe it should but from what I have seen I have had address fields auto fill when I never went on the site since a format, so if it is meant to be site related it isn't working as intended for me. I disabled autofil, I think it was default as on. I don't personally trust it myself. I would rather have additional security over convenience. Like most things in computing, the more convenience the less security. – Coderxyz Oct 14 '20 at 09:44
  • @Coderxyz Credential auto-filling (because it actually does auto-fill) must always be linked to the origin of the page you're viewing. To not be would be a massive violation of the same-origin-policy, the central tenet on which browser security is based. The other type of "auto-fill" that you're mentioning, address, name, or payment auto-filling does not actually auto-fill in the same sense. It simply recognizes commonly used form fields and prompts the use to take an action, and only then will it attempt to fill those fields with saved values. – Xander Oct 14 '20 at 18:54
2

I don't think it is a question of can it steal your passwords already there as others stated, it is more a question of can it install malware that get your passwords next time you type them in. Before clicking links you should scan them first on securi scan or something similar. I would advise that you format the computer before doing anything that could reveal sensitive information.

However regarding passwords already there, it would be a 0 day exploit by the sounds of it so they would gain more by turning it in for a bug bounty and it would be a little bit of a waste to use it on most people.

Coderxyz
  • 560
  • 4
  • 9
  • It's certainly not worthwhile for a typical user to paste every link into a scanning site before clicking it. @Coderxyz do you really do that? Perhaps in some very specific high security context it could make sense. – bdsl Oct 15 '20 at 15:52
  • 2
    @bdsl It´s not about scanning **every** site, just the ones you get sent by strangers in chat .. – Daniel Oct 16 '20 at 15:41
  • If I am unsure on a website I will scan it, anything medium risk or above I won't go near. Low risk sites that are well known are fine. It is amazing how many sites fail these scans. It takes about 10 seconds to scan a website, but a lot longer to reformat and re-install everything if you clicked on it without checking. I'd rather get my information from a well known site than some garbage blog full of ads anyway and as for the OP question here, the scanner would have instantly shown a risk because it is a new site so I doubt it had all safety checkmarks. – Coderxyz Oct 22 '20 at 23:13
1

I clicked on it and the browser told me that this could be an unsafe link so I didn't proceed further. Then I opened in another browser to see if it was a legit site.

That likely hasn't to do with your password, but perhaps more about personal data harvesting or fishy/deceptive content.

The reason why the browser says the link is unsafe is that it was reported on a blacklist of malware sites. Reason for reporting is unknown here.

There is a huge list of bad things that could happen

  • Security related
    • Malware distribution
    • Vulnerability exploitation
  • Privacy related
    • Asking you to subscribe to a free plan having to confirm your age by credit card.
    • Collection of personal data that get sold over to the privacy black maket

Unlikely to steal your passwords from browser anyway. But the worst you could do yourself is to subscribe to a new service reusing an existing password. It doesn't get stolen, you are providing it.

usr-local-ΕΨΗΕΛΩΝ
  • 5,361
  • 2
  • 18
  • 35
1

In short, password managers (including the ones built into browsers) are designed to prevent this from happening, so it shouldn't happen. If it does, then something else has gone wrong.

To expand on this, though, password managers have to find a balance between ease of use and security, and certain design choice can affect this balance.

One of the main and most important jobs of a password manager is only to pre-fill or automatically log in when it can be sure it is the same website as you were on when you saved that password. Because, if it does it on a different website, it may just inadvertently leak your password to some other site, and therefore to someone else that should not be given your password.

So to address your question, if this fake site is completely unrelated to any genuine site you have a saved password for, including a different domain name, there is no way it can get any of your saved passwords.

The difficulty is, the boundary for what defines a website can vary. In some cases, a website can have multiple domain names. Some password managers can know about this and let your login work across a network of domain names regardless of which one you initially saved it on. This is convenient, except if the password manager accidentally gets one wrong, and that one falls into the wrong hands. In other cases, websites with the same domain may be owned and controlled by totally different people, which is the case with shared web hosting where clients don't get their own domain name - sometimes they may have a subdomain with a shared domain, and sometimes even a subdirectory under the same host. Password managers can try and be smart about this by maintaining a record of domains which can be used for separate sites on different subdomains or directories. Or, they can take an overall more conservative approach and only match a site if it has the exact same hostname (including subdomain) and path to the login screen. Or, take an approach somewhere in between where if there is any discrepancy the user is prompted to confirm whether it's the same site.

Then there is the issue of site security itself. A password manager cannot know if a site's been hacked and taken over by hostile parties. It can know if a site uses https making some kinds of attacks (man-in-the-middle) more difficult though.

What all this boils down to is that there is some amount of art to the algorithm that a password manager uses to determine if the site you're visiting is authorised to be given a password you've saved before. You can help protect yourself to some degree:

  • When logging in using a saved password, stop to consider whether you're on a site where you may have separate logins to separate areas of the site such as a hosting site and you're not on your own account there.
  • Disable automatic login if your password manager has it (ie, where the password manager also submits the form for you instead of only pre-filling it).
  • Don't necessarily just settle for the password manager provided by your browser. There are third party password managers which can have additional security features.
thomasrutter
  • 1,608
  • 12
  • 17