Smashing Security podcast #432: Oops! I auto-filled my password into a cookie banner

Some people do have strong passwords, but they've only got one. Maybe you've used a — I can't say mnemonic.

Mnemonic.

Yes.

Mnur mnom.

Smashing Security, episode 432. Oops, I autofilled my password into a cookie banner.

Hello, hello, and welcome to Smashing Security episode 432.

With Graham Cluley.

My name's Graham Cluley.

And I'm Thom Langford.

Thom, welcome back on the show. Lovely to have you here.

Yes, thank you very much. It feels like it's been forever, but I know it hasn't.

Well, not forever, but it's been a while. It's been a while.

Yeah.

Everything going well with you and the Host Unknown podcast?

It's going very well. We're on episode 224 or something like that.

It is astonishing that you've kept going all this time.

Astonishing that we've not been taken off. I find it astonishing as well, but maybe for different reasons.

This week on Smashing Security, we won't be talking about how a researcher downloaded the data of over a quarter of a million Intel employees from an internal business card website in a breach dubbed Intel Outside. You'll hear no discussion of how distraction, lack of training, and burnout — not technical complexity — are the factors driving most breaches. And we won't even mention how the governor of Nevada has warned that state offices are closed, websites offline, and phone lines up the swanny following a suspected ransomware attack. So, Thom, what are you going to be talking about this week?

So I'm gonna be talking about quantum and legacy, 20 years in the past and 20 years in the future, all in the same show.

And I'll be describing how autofill can become auto-theft. All this and much more coming up in this episode of Smashing Security. Now, chums, passwords, absolute bloody nightmare, aren't they?

A real nightmare, wouldn't you agree, Thom?

This is the year of the passwordless systems. I'm sure of it. Well, hang on. I know we've been saying that for a while.

Not just you. I think everybody's been saying that for a while, be the end of passwords, but they still seem to linger on, don't they?

It's like this year being the year of the Linux desktop.

I cannot be the only one who's woken up in the middle of the night in a cold sweat. Not the male menopause, but worrying instead. Oh, my Netflix password. What is it? Is it password123? Is it 123password? Is it password1234? It's, what could it be? It happens to men of our age, doesn't it, Thom? It does. It does.

As does waking up in a hot sweat, but that is the male menopause. And that is what, not the male menopause, but, and that is one of the reasons why we strongly recommend people use password managers. They remember your passwords for you, so your puny human brain, I'm not looking at you, Thom, your puny human brain doesn't have to remember it. So password managers, really good for remembering your passwords if your memory's gone to shot. They're also really good at generating strong, unique passwords, which is of course what you really should be using, because it's a disaster if you use the same password or something similar over and over and over again. Or if you have one really strong password that you've memorised. Some people do have strong passwords, but they've only got one. Maybe you've used a— I can't say mnemonic. Mnemonic. Yes, maybe you've— mnemonic. Maybe you've memorised some method, your weird, crazy gibberish password, but you then use it for everything. And that's daft because all it's gonna take is one data breach, and the bad guys are gonna have your password, and they'll be able to unlock your entire online life and terrifying consequences. Well, it's also something else as well, isn't it?

What's that? Because it's also down to the sites that you use it on. And if that site is not storing it correctly, yes, it might be a data breach, but under normal circumstances, it would take the attackers a decade to break your password if it's encrypted, salted hash, blah blah, all that together. But if the site you're using it on is a bit daft, then it could be being stored in plaintext or with really poor encryption.

And just the name of the site, which if they found out the name of the site which you might have an account on, that might reveal something about you, which maybe you wouldn't want known to hackers and criminals and blackmailers and all sorts of—

Basically. Very true, Ashley Madison proved that.

There you go. So use a password manager, people. That's our message, right? Use a password manager. And password managers can help prevent phishing attacks. They look at the domain that your web browser is visiting and they won't offer to enter your password unless you're on the real website. So if you go to Lloyds Bank, it's only going to offer to enter your Lloyds Bank password if you are on the Lloyds Bank domain.

Yeah, can be a pain sometimes because not all websites, again, down to the quality of the sites you go to, they don't always maintain a strictly consistent domain format. But you can also add in aliases.

But you have to do that manually. Into your password manager. So you can say, oh, I do want it to work on this particular domain as well. So if you go to dodgybank.com rather than bank.com, it shouldn't offer to fill your password in for bank.com.

So we all love password managers.

We love them, we love them, we love them, don't we? They're fantastic. Absolutely. But unfortunately, some of them can still be tricked into helpfully handing over your passwords and other sensitive information, such as your credit card details, to the bad guys, to the cybercriminals. And that is what my story is about today, because a security researcher from the Czech Republic called Marek Toth described at the DEF CON security conference this month how, if you have a browser-based password manager extension like those available from 1Password, LastPass, Bitdefender, NordPass, etc., etc., ad nauseam, how those extensions can be tricked into coughing up your secrets and handing them straight to the bad guys. So what happens is this, this security researcher, he described how a browser-based password manager extension like those we've discussed can be tricked into coughing up your secrets. And this is how the attack happens. Imagine you are on a website and you go to the website. One of the first things you see is effectively a popup. A little thing pops up in front of the website, which says, click here to make it go away. So it could be something an irritating cookie consent popup. And you see those sort of things when you visit Instagram or TikTok in your browser, or it could be something the Cloudflare, are you a human challenge page? The CAPTCHA. Yeah. You know, it's fairly common. I sometimes go to webpages and Google will say, oh, you know, are you really, you're not logged into your Google account. You know, you have to agree on this. And you see all this Google branded thing which appears there and you have to say, yes, of course, I'm just loading Google to the page. And so you click on it, don't you? Because who doesn't do that? But surprise, surprise, a hacker has secretly slipped in underneath that pop-up an invisible login form. And your trusty password manager, bless its silicone socks, sees that form. Oh, interesting. Yeah. Sees that form and thinks, oh, let me save you some time. Here is Thom's password and his credit card details and his inside leg measurement. So let me just step— that's scary in itself, but I'm going to go into the weeds now. I'm going to get a little bit nerdy. You know how—

Because I— yeah, because I've got quite— I've got a point. But yeah, go on, go on, go on, go on. Okay, well, I'll describe this and if you've got anything— I mean, you are a great technical brain, Thom. I'm expecting you to have great questions regarding this. Let's go there. Exactly.

Let's take the audience down this path and see if they can cope with what we're about to describe. Indeed. So imagine you were tricked into visiting a dodgy site, a phishing site. It had a name a bit like the site you wanted to log into, or you received a phishing email with some HTML hijinks, which made you think that you were going somewhere, and in fact, you were taken somewhere else. This webpage has been created by cybercriminals like a regular phishing page, and they've led you there through this malicious link. Now, normally when you visit a page like that, your password manager can help you. Normally, if you visit a legitimate page where you would want to log in, it would inject a little autofill pop-up into the web page. A little thing will pop up inside the web page, a little button which says, "Do you want me to enter your details? Do you want me to fill these in for you?" And that iframe— Ah, I see. Now you're getting it. That iframe has been made effectively invisible to the naked eye through the use of JavaScript, the CSS setting is basically set to opacity zero. And that means you can't see that the real thing is there. The attacker shows something like a fake cookie banner or a confirm your human box to cover the real autofill popup. And when you click, when you click on the button to remove the cookie banner or the CAPTCHA, what you're actually clicking on is not a harmless button. Your click is actually passed to the hidden autofill control that tells your password manager, go ahead and fill in Thom's password, credit card details, two-factor codes here. And they get filled into a hidden form that the attacker controls. They collect it and you didn't see a thing was being taken.

So my question is, yes, when I go to a website, and there's a login form and I click into the username, up pops a thing saying, do you want to put in this username and password? And then I have to do the Touch ID or the secondary authentication. So I actually have to manually, not manually, but you know what I mean? My second factor is my fingerprint at the end of the day. So if that's in place, okay, if you force that as a protective measure. Does that at least warn you that even though you are clicking into a fake form, that it's trying to fill in a username and password behind without you seeing it?

So it would do, because of course you would think, why am I being asked to do Touch ID? Now you are a fancy pants Apple user who's got all this fingerprint ID, Touch ID sort of stuff set up. Many of the rest of us mere mortals, the average person, does not have all that set up. And I suspect as well, yes, inside many password managers, there may not be an option to do that, or it is not enabled by default.

I think also we forget people's muscle memory of, oh, it's prompting me to Touch ID, I must Touch ID. Yeah, it comes up with a valid system request. It's from Apple. Therefore, I'm thinking, oh, something's happening. I must need to touch, not necessarily question it.

Yeah, I think you're right.

So it's still dangerous, but there is a mechanism that may at least slow things down.

It's a little bit of a safety net because you might think, well, why is this happening? Although, remember, you clicked on a link expecting to go to this particular website, perhaps. Yes. I mean, that is a—

Absolutely.

That's a possibility. It may not have been the case as to how they're doing this. It may not have been pretending to be that website. And so you might think, well, this is okay for me to do. That is also a potential. So yes, what we need are more safety nets. These criminals are clever. They are clever. So your password, your card info, even your two-factor security codes are getting filled into a hidden form. You didn't see a thing was being taken. What you can see is a big cookie consent form pop up on your screen or some kind of CAPTCHA. Something else which is irritating, apparently legitimate clicks on the apparently safe visible elements of that web page are actually intercepted by the hidden iframe. Yeah. And the credential theft has occurred. So this is a bit of a problem.

Yes. Yes. And then some.

So I think there's different people who have to deal with this problem. And one of the groups of people are the people who actually run the websites themselves. So if you have a website which can be hacked, how can you prevent users of your website being duped in this fashion? And what you can do is you can set options in your HTTP headers that say that the site cannot, is forbidden to be put in an iframe, and your web browsers will obey those and say, well, hang on, this particular webpage doesn't allow this site to be put into an iframe, and so I'm not going to allow it. You can also say, look, my site can be put in an iframe, but only on my domain name. Yeah. So if you were part of smashingsecurity.com, smashingsecurity.com maybe allows other bits of smashingsecurity.com to put itself into an iframe. We don't actually do that as far as I know, but—

We're not that fancy.

We're not that, no, why would we do that?

But you know, but— Well, you wrote the website.

Yes, I did. But so I'm pretty sure I don't do that unless some hackers come in. You can also set a content security policy on your website, which is a more modern way of preventing your site from being put in an iframe. And some websites, they want to be embedded on other sites. It's part of their business model. So Google, for instance. Yes. YouTube. Yeah. People want to be able to embed videos on their blogs, on their news sites, on social media, Google Maps. People want to be able to embed Google Maps, Spotify, Twitter, TikTok, all those sort of things. They want to be embedded. So yeah, you can have a blanket ban of nobody can embed our stuff, but that would kill half of the internet's content. What you can do instead then is you can separate your safe-to-embed web pages from the ones which aren't safe to embed. So, for instance, a login page on YouTube or Google cannot be embedded.

Exactly. That sounds like work for people though, or for webmasters everywhere. It is a bit of work.

But the good news is most people's websites, there probably isn't a business case for being embedded. If you were running a bank, why on earth would you allow any of your web pages to be embedded somewhere else? It just sounds like you're asking for trouble.

If you're running a bank, why on earth would you limit passwords to just 12 characters?

And yet— And yet some do. It's insane.

It drives me livid, I have to say.

So what can users do about this? We've spoken about what the website owners can do. What can users do about it? You can turn off autofill for sensitive stuff like passwords and credit card details. Sounds like, you know, in a way you have turned off autofill, Thom, because it requires your fingerprint to go forward. I've told my password manager not to do it automatically, so I have to do a further fill-on-click agreement. So when it tries to fill something in, rather than doing it automatically, the actual browser has a little thing inside the browser context where I say, yes, this is okay for this extension to fill these details in. So I would be suspicious. You can obviously keep your password manager updated because some have been updated to protect against this. And in Chrome and Edge and Brave, if you're using those browsers, many people are obviously using Chrome, you can set extensions, including password managers, to basically operate on click only so they don't silently inject autofill.

So you have to click into the field itself before it fills in.

Well, you have to actually click, I think it's on the icon in your browser toolbar to say, I now want my password manager to do something, which might be an idea for many people with their extensions anyway, because some extensions have an extraordinary amount of access to what's going on on the pages. So you may only want to turn them on when you want to turn them on. So this researcher, he tested 11 popular password managers. He found that nearly all of them were vulnerable to this trick to a greater or lesser extent. And he told them about it back in April. And some like Dashlane and Keeper and NordPass and ProtonPass and RoboForm, they fixed it quickly. Others are dragging their heels a little bit.

Isn't it interesting how the larger names that shall not be mentioned seem to be dragging their heels, yet the smaller ones, you know, the ones with potentially less resources are just fixing it.

Curious, isn't it? Yeah, I mean, maybe they're worried about what else they might break or looking for the right way to do this. But yeah, you would like to think that they would have done it by now. So right now for some people, and it's estimated millions and millions of people are relying on these things, and rightly so because we've been encouraging it for years on your podcast, the only thing standing between them and disaster is the hope that they don't click on a suspicious accept cookies button, which, let's be honest— We all do anyway, don't we? Frankly.

Well, have you ever been on, I'm sure you have, on the HMRC website? Every page you open is accept cookies, accept cookies. It's ridiculous. Why does it do that?

Why does it do that?

I know. God, that's kind of prompting poor behaviour in a place that is really close to your financial livelihood, right?

Yeah, absolutely. So if you run a website, don't let your sensitive pages be iframed. And if you're a user, don't let your password manager fill stuff automatically without your explicit say-so or without the thumbprint of Thom Langford.

My thumb is available for rent.

Thom, what's your story for us this week?

So, this story, I'm going forwards in time. Excellent. So, you know, between, I don't know, maybe sort of 7 to 15 years in the future is when the experts think that quantum computing will be mainstream. And quantum computing is, I was gonna say the next step in sort of computing evolution. Although it's actually more like a revolution. It's fundamentally more powerful by orders of magnitude, massive orders of magnitude. Things that may have taken a supercomputer today 10,000 years to do. We mentioned cryptography and how, you know, you can break passwords if you set a supercomputer onto it for 10 years, you can get a password out of it from an encrypted password file. A quantum computer will do it in seconds or minutes because of that exponentially massive growth. So from a security perspective, all of our existing cryptography, even the highest level of cryptography today, is potentially going to just be blasted through by quantum computers. And that's not going to change.

It's a bit scary, isn't it?

Yeah, it's potentially— Do you know how hard it is to find a story to talk about that hasn't got AI in it these days? It's ridiculous.

It's almost as though someone should do a podcast specifically about AI. I know, right?

You'd think, if only I could find somewhere that would teach me more about it. But quantum is gonna be the new AI. In a few years, all we're gonna hear about is quantum because more and more computers will be quantum. Microsoft just recently launched a quantum chip. I say launched, it's not you can go down to Curry's and buy it, but it's a pretty little gold thing that needs to be refrigerated or stored in a room the size of, well, a small house basically to keep it cool to run. Although that's changing, you know, quantum chips are now starting to operate at room temperature. 'Cause that's the thing, you had to chill a quantum computer down to absolute zero in order for it to work. Progressions have been made that means it doesn't matter. So anyway, experts therefore say in 7 to 15 years, quantum computing will be maybe in the household, who knows, maybe even be in a phone, you just don't know. I mean, it's Moore's Law writ large here. So researchers are very concerned and cybersecurity people are very concerned about this. So we need to be quantum ready effectively. And what Microsoft has bravely announced that by 2033, that's 8 years, and quite a few hundred Patch Tuesdays from now that its products will be quantum safe. Corporate speak for we'll worry about the apocalypse later, but here's a press release to make us look futuristic today. What do they mean by quantum safe? What I mean by quantum safe is that their products, their computers, etc., will not be able to be taken advantage of by quantum computing in the way that we've just mentioned. They will have their own encryption methods, or at least what we might term as encryption today, who knows in 8 years' time, that will not be broken by quantum. Presumably it's quantum encryption, which will therefore take a quantum computer 10,000 years to break. The pitch is that hackers are harvesting encrypted data now so that they can decrypt it later. So we talked in the last story about, you know, not all sites store data properly, most sites do, and they store it in encrypted hash salted blah, blah, blah kind of way in such a way that it takes 10,000 years to get a password out of it. Hackers know this, they're just harvesting it anyway because at some point they will be able to use a quantum computer to decrypt that data in seconds. So because most people will not change their passwords over the next 5 years on many sites because they're not prompted to, why would they? They might reuse a password to your previous point. They might have a secure password, but they use it a number of different times. So it might be 128 different characters, but they use it on 10 different sites or 100 different sites and don't change it because, hey, it's secure. Well, in 5 years' time it won't be, or 8 years' time or whatever. And also, most people who don't listen to this podcast but maybe friends or family of people who listen to this podcast, are just still using, you know, password123. Of course, Microsoft is working with global standards bodies, which sounds great until you just realize that's just a decade of committees and meetings about acronyms. But by the time they agree on what to call it, quantum computers will be teaching our grandchildren how to bypass login screens. Simple as that. By 2033, half of us won't even be using today's systems anyway. And the other half will still be waiting for Windows Update to finish installing, or we have to, you know, shutting down your computer. Please wait, do not turn off your computer. So it sounds great, but if history tells us anything, the real threat isn't quantum computing, it's Microsoft rolling out another update that breaks your printer again. I'm telling you, it's for security.

Oh, come on, Thom. As if they would do that.

Yeah, as if they would do that. And anyway, most printers don't need a patch to break. They just break randomly anyway, right?

Yeah, because you've made the mistake of injecting paper into them. That's the thing they're objecting to.

It's a paper injection attack.

Hello, I'm Graham Cluley, host of the Smashing Security podcast. I guess you know that. I'm quite often in your ears, aren't I? Every week, tens of thousands of people tune in to hear me talk about hackers, scams, the latest blunders that make you wonder how some people ever got hired in cybersecurity. But here's the clever bit: your business can sponsor this podcast. That means your brand gets promoted directly to an audience of security professionals, decision makers, and people who actually know what a firewall is, unlike your CEO. Sponsoring Smashing Security is simple. I read your message, listeners hear it, and you look like a genius for choosing the one podcast that manages to make cybercrime both informative and funny. So before you blow this year's marketing budget on branded stress balls or throwaway socks, visit smashingsecurity.com/sponsor and let's chat. That's smashingsecurity.com/sponsor. Okay, back to the show. And welcome back, and you join us at our favorite part of the show, the part of the show that we call Pick of the Week.

Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.

We're not helping. We really aren't helping push the needle here, are we?

Well, possibly not. This was put together by a guy called Robin in Hamburg. I will link to it in the show notes. robbb.in/shadyitis. If you can see the link there in front of you, Thom, why don't you go to the link? Okay. When you go to the link, you can enter a URL and it will turn it into something which is probably going to be longer and hopefully would set the alarm bells of your users ringing enormously that they shouldn't click on it. So you give it a try, Thom, and see what you get shown.

So if I was to send you a link that says malicious-do-not-trust-spyware-forgerie.is.gd/garbage-adware.exe.

Yeah, that sounds a bit dodgy.

Guess which website that will take you to?

I have no idea.

Where does it take you? hostunknown.tv, of course.

The URL of your podcast. Fantastic.

I love this. And I hate it all at the same time.

It's funny, isn't it? I both love it and hate it. And I can imagine many people listening to the podcast will both love and hate this. So I don't know if this should be a pick of the week or a nitpick of the week, whichever it is. I thought you should be aware of it. Or a do not click of the week. But there you go. So that is how you shadeify your URL. Links in the show notes. Nice. Thom, what's your pick of the week?

So I said I was going to go into the future and the past. Yes. So I am here to talk to you about a company called Juicy Crumb, who have produced a little product called the Docklite G4. Now, let's go back 20-plus years into Apple history. Do you remember, this is before Apple even moved on to the Intel chip, they were still running the PowerPC chip. Yes. They'd released their plastic PowerPC Macs. Do you remember the, there was the ones that looked like colourful toilet seats, and then they had the CRT monitors in plastic. That was the G3 version. Yes. Do you remember those?

Yes, yes. So that's the kind of era.

And then they released a brand new line of iMacs, and it was called the iMac G4. Very, very imaginatively is the word. Yes. But do you remember this one? It was a half dome with an articulated arm and the screen on the end. Some people called it the sunflower edition. It was an anglepoised lamp, wasn't it, in a way? It's an anglepoised lamp, and it's a thing of beauty. In fact, I'm looking at two of mine at the moment. You've got one?

I love them. I've got two.

I have a 15-inch and a 17-inch.

Okay, stop bragging. I would love if Apple still used that design. I think that design was absolutely gorgeous.

It's beautiful. Yeah. If you go to eBay, you can even just find somebody who takes broken ones and turns them into lamps. Yours for £360. I'm all right, thanks. Yeah. Anyway, these run PowerPC G4. The lower versions can only take a gig of RAM. They normally ship to 256 meg. That's how long ago.

Because they haven't made these things for almost 25 years, have they?

No, exactly. It's a long time ago, right? Yeah. So they're sluggish. You fire it up, plug it into your network, it'll get an IP address, but good luck actually browsing anywhere. Yeah. Because all the certificates have expired. Unsupported operating system, et cetera, et cetera. But they are a thing of beauty. However, what Juicy Crumb have done is create this product, the Docklite G4. And what you do, you open it up, put it on its face, open up its bottom, you take out the innards, you put in their board, right? Which all aligns up properly. Yeah. Put it back together. You have now got a USB-connected monitor. Monitor. A monitor. And some space inside of that dome to put whatever you want in there that would fit. So, for instance, somebody got the insides of an M2 Mac Mini. So, not the smallest one, but the larger Mac Mini, as it were. Right. An M2 Silicon Mac Mini. He said, the screw holes actually line up. Mounted that inside the Half Dome underneath. No. Hooked in the HDMI, hooked up the USB, then had a fully working M2 Mac in the Sunflower G4. In the classic. The classic format.

Oh, that sounds like a thing of beauty.

It's a thing of beauty. And I'm, you know, my Docklight is winging its way from Australia as we speak. So I can't talk to it just yet. So you can use your old keyboard, your old mouse, your old speakers. You can keep it looking genuinely retro. I'm putting an Apple TV inside of mine. Right. Because as we were talking just before the show, I'm buying a new house. I fancy having a TV in the kitchen. Not just any TV. I want a retro Mac TV. Oh. How cool is this?

That sounds so cool. Great pick of the week, Thom. Great one. Well, that just about wraps up the show for this week. Thank you so much, Thom, for joining us. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way to do that?

Or you can search for me, Thom Langford. That's T-H-O-M Langford. Or come to hostunknown.tv or ThomLangford.com or even ThomLangford.photography. All ways of getting hold of me. Terrific.

And of course, Smashing Security is on social media as well. You can find us on Blue Sky, or you can follow me on LinkedIn. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 430-odd episodes, check out smashingsecurity.com. Until next time, cheerio, bye-bye.

Ta-ta.

You've been listening to Smashing Security with me, Graham Cluley. I'm grateful to Thom Langford for joining me on this episode and to the chums who've signed up for Smashing Security Plus and support the podcast via Patreon. They include Matt Cotton, Alan Liska, Jan, David Smith, or is it David Smythe? He's got a Y in it. Anyway, Jason B, Simon Yakan, Mike Hallett, Dimitri, Rich, Sammy Dosa, Matthew Hunt, John Morris, Bunky Duck, Lars, Chip, and Jacob Lofgren. If you'd like your name to be one of those read out on the credits from time to time, that is just one of the simple pleasures you can earn yourself by joining Smashing Security Plus. You sign up for as little as $5 a month. You get your name read out every now and then, but you also get early access to Smashing Security episodes and occasional bonus content. And by the way, those early episodes don't have any ads in them. Wonderful. Just go to smashingsecurity.com/plus for more details. Now, I realize that times are tough. There's not a lot of money rattling around, is there? So don't feel any pressure to become a patron. You can also support the podcast in other ways. You can like, you can subscribe, you can give 5-star reviews if you're feeling generous, and perhaps jot down a few words to try to entice people to give the podcast a listen. But you know what you also can do is just tell someone about the podcast. Tell them that you like it. Anything that gets the podcast in front of more people makes the effort all worthwhile. Well, that just about wraps up the show for this week. So thanks once again for listening. I really do appreciate it, and until next week, cheerio, bye-bye.