Thursday, August 26, 2004

Stealing Passwords Via Browser Refresh

Infosec Writers has a paper discussing the theft of passwords via browser refresh and back features and countermeasures. It makes some assumptions about browser use and configuration but is accurate to a point. Here's some additional (user-level) guidelines to avoid this vulnerability:
  • clear your history (or temporary Internet files) after each use
  • turn off auto-complete if it's available
  • turn off the browser's password manager
  • don't use the "remember me" feature on the website
  • close the browser and reboot the machine when you're done with the site

Yeah, some of those are a bit anal but if you're worried about the data controlled by a certain website, it may be worth the trouble.

No comments:

Post a Comment