Design Flaws Make All Browsers Vulnerable, Black Hat Speaker SaysDesign Flaws Make All Browsers Vulnerable, Black Hat Speaker Says
In series of hacks, researcher demonstrates inherent flaws in currently-used browsers
August 3, 2010
LAS VEGAS, NEVADA -- Black Hat USA 2010 -- If you ask Jeremiah Grossman, no Internet browser application is truly safe.
Grossman, CTO of Whitehat Security, described a series of browser design flaws in a presentation here last week. Internet Explorer 6 and 7, Safari, Firefox, and Google Chrome all showed some exploitable weaknesses, he said.
"These are not just application vulnerabilities that can be patched on the next rev," Grossman said. "These are basic design flaws."
In several cases, Grossman demonstrated how attackers can use the "auto-fill" and "auto-complete" features in several browsers to trick the browser into giving up personal information and password data from the user.
In other cases, he showed how cross-site scripting flaws can be used to gain access to the password manager features in Chrome and Firefox. A final demo described a method for swiftly evicting cookies from Firefox, making it easier to attack.
After so much browser research, does Grossman recommend one over the others? "IE 8 is technically secure, but it's targeted because it's so widespread," he said. "Firefox is not bad, but I outlined some design flaws in my talk. Chrome is also pretty good, but it comes with what amounts to Google spyware, and there's no sandbox."
Depending on what they're doing, some users may benefit from using more than one browser, taking advantage of the relative security capabilities of each, Grossman said. "One of my key points was just to get people away from using IE 6 and 7," he said. "There are still a lot of users of those out there."
Some users may want to think twice before using password manager features, too, Grossman says. "It's a pain to write them all down, but if your password manager is compromised, that can be a big problem," he said.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023