Stealing Passwords via Browser Refresh

By Paladion

July 29, 2005

The browser's "Refresh" feature was the source of a little known vulnerability until last year, when Karmendra analyzed the issue in Stealing Passwords via Browser Refresh.

Karmendra showed how applications that did not issue an HTTP redirect during authentication could be persuaded to reveal the previous user's password, even after the user had logged out of the application. It just required the right sequence of "Back" and "Refresh" to catch the password. And it was stunningly simple.

We did an informal poll to see how frequently we come across this vulnerability in our tests today. They have dropped from 50% of apps a year ago to less than 10% now. Sure, informal polls are unscientific, but the numbers suggest that more applications that get tested for security address the problem today. That's good news.

Today Karmendra, geek, fellow-blogger, museum-enthusiast turns entrepreneur. He joins his friend Seemanta to found SecurEyes. Best wishes from humsab@paladion, KK, Seemanta!

Tags: Uncategorized