Change the form action so the password submits to an attacker controlled server instead of the intended destination.The MITM can use a number of mechanisms to extract the password entered onto the non-secure page. Anything on a non-secure page can be manipulated by a Man-In-The-Middle (MITM) attacker.
The embedding page is checked against the algorithm in the W3C’s Secure Contexts Specification to see if it is secure or non-secure. How does Firefox determine if a password field is secure or not?įirefox determines if a password field is secure by examining the page it is embedded in. To inform developers about this privacy and security vulnerability, Firefox Developer Edition warns developers of the issue by changing the security iconography of non-secure pages to a lock with a red strikethrough. Unfortunately, we too frequently see non-secure connections, like HTTP, used to handle user passwords. Websites should handle this information with care and only request passwords over secure (authenticated and encrypted) connections, like HTTPS. Username and password pairs control access to users’ personal data. See this post for more details.įirefox Developer Edition 46 warns developers when login credentials are requested over HTTP. Update: This feature is now also enabled in Firefox Release, starting with Firefox 51.
0 kommentar(er)
