An Interest In:
Web News this Week
- April 17, 2024
- April 16, 2024
- April 15, 2024
- April 14, 2024
- April 13, 2024
- April 12, 2024
- April 11, 2024
November 3, 2017 06:51 am PDT
Original Link: http://feeds.boingboing.net/~r/boingboing/iBag/~3/u1M4rqumvL4/shady-websites-using-fake-pass.html
Shady websites using fake password-circles font to avoid securing login forms
Newer browsers notify users when a login form will be sent over an insecure connection. But some websites are replacing password boxes with plain text inputs to avoid triggering the warning – and using a special font, where all the characters are circles, to fool their users.
Troy Hunt makes an example of ShopCambridge.ca:https://twitter.com/troyhunt/status/925462678516019200?ref_src=twsrc%5Etfw&ref_url=https%3A%2F%2Fwww.troyhunt.com%2Fbypassing-browser-security-warnings-with-pseudo-password-fields%2F
And as you've probably guessed by now, that "font" is nothing other than a single disc per character designed to be a visual representation of the real disc you'd normally see when entering text into a proper password field. It needs to work in this order because otherwise the place holder would no longer say "Password" and you'd instead see 8 round discs representing the letters of the word. The bottom line is, once all this is tied together then there's the veneer of a password field but because it isn't a password field, there's no browser warnings! It's like magic! More specifically, it's a pseudo password field designed to fool the user and deny them of the browser's visual warning designed to protect their password.
The craft involved is such that it can't be explained by sheer laziness. It's a peculiar mix of paranoia, marginal competence and the Dunning-Kruger effect.
Hahahaha.
Original Link: http://feeds.boingboing.net/~r/boingboing/iBag/~3/u1M4rqumvL4/shady-websites-using-fake-pass.html
Share this article:
Tweet
View Full Article