cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ericgeater
Community Champion

input passage without pressing ENTER

Does anyone else have a problem knowing that field input on a website can occur without pressing ENTER?

 

A little extra info to flesh out my question: I visited a website for which I had forgotten my credentials.  And it isn't a site that I would expect a lot of security from, just to add some context.  But when confirming a replacement password for the site, the site rejected the password because it matched a previous password.  I respect that!  But I had not pressed ENTER.

 

To me, pressing ENTER is committing the input.  Having it passed at keystroke time seems a bit intrusive for some reason.  But my biggest beef with the practice is that I wouldn't have noticed this evolutionary step at all, had my browser not instantly fed back the rejection.

 

Maybe I'm just a little 'noid, so I'll welcome someone to talk me down.  But I don't know how widespread the practice is, so it's a bit unnerving to know that ANY site could be capture input data without it actually being INPUT.  I could mistakenly type another site's password (which could lead to an inference attack if the site's owner is unscrupulous), or be questioned for things I typed into a field, only to backspace out of editorial courtesy, or... ???

 

Like I said, talk me down.  Thanks!

--
"A claim is as good as its veracity."
7 Replies
AlecTrevelyan
Community Champion

How widespread is this practice? Real time form validation is very widespread and as we all know validating form input is security best practice.

 

An obvious example of something which is near ubiquitous these days is the password strength meter.

 

Type more and more characters in and the meter changes colour from red to green to show the password is now at an acceptable level of strength - so they're clearly reviewing your input before final submission.

 

That being said, there's a difference between what happens as I've described above, which is just a piece of script running and checking your input as it's typed through an API, and actually recording your input until it's finally submitted.

 

How do you know what they're doing with your input either fully submitted or otherwise? I guess you're reliant on reading their T&Cs and ultimately making a judgement on whether or not you trust them? Or at the very least trust in any regulatory system they are required to abide by to control them accordingly. (Or punish them if they break the rules.)

 

Maybe if they are recording everything that's input into their form fields they are opening themselves up for a denial of service attack where someone sends them endless reams of useless data to fill up their storage? Or at the least an economic denial of service where the volume of storage they're forced to use becomes cost prohibitive.

 

BTW - I'm assuming in your example there's something else (e.g. a cookie) telling them who you are in order to load up your list of previously used passwords via the API. As otherwise it could be used as part of a password guessing mechanism. e.g. Type in the username of your target and start guessing passwords and the system will handily tell you if they've been used before so you can check if they're still in use on other sites.

 

CISOScott
Community Champion


@AlecTrevelyan wrote:

 

BTW - I'm assuming in your example there's something else (e.g. a cookie) telling them who you are in order to load up your list of previously used passwords via the API. As otherwise it could be used as part of a password guessing mechanism. e.g. Type in the username of your target and start guessing passwords and the system will handily tell you if they've been used before so you can check if they're still in use on other sites.

 


Alec, That was going to be my response. Real-time feedback allows for password walking and would make it easier for someone to find previous passwords and if you found enough of them you could even determine the person password strategy (i.e. sequential numbering, kids names, etc.). It would be inherently more dangerous if there was real-time feedback without an alert that someone was trying multiple times to guess a password.

rslade
Influencer II

> ericgeater (Newcomer III) posted a new topic in Tech Talk on 08-07-2019 07:12 PM

> Does anyone else have a problem knowing that field input can occur without
> pressing ENTER?

Yup. (You probably have to run traffic analysis to figure it out ...)


>   To me, pressing ENTER is committing the input.  Having it passed at
> keystroke time seems a bit intrusive for some reason.

Well, there is usually no (or little) indication that it is doing so.

>   But I don't know how widespread
> the practice is, so it's a bit unnerving to know that ANY site could be capture
> input data without it actually being INPUT.  I could mistakenly type another
> site's password (which could lead to an inference attack if the site's owner is
> unscrupulous), or be questioned for things I typed into a field, only to
> backspace out of editorial courtesy, or... ???   Like I said, talk me down. 

No, I'm not going to talk you down. You aren't paranoid. They are doing it. And
usually without any indication that it is going on.

The "community" does it. Type something in the search box, and, as you type,
you start seeing completion suggestions. Same thing happens when you start
typing in a subject for a new topic. (And when entering a label.) Obviously the
Website is taking your keystrokes as you type them, long before you hit enter.
(Same thing is happening when you are entering stuff in the editor, but that tends
to be more expected, I suppose.)

Pretty much any entry field can do it, if the site is set up that way.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Everything should be made as simple as possible, but not simpler.
- Albert Einstein
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
denbesten
Community Champion


@ericgeater wrote:

Does anyone else have a problem knowing that field input on a website can occur without pressing ENTER?


Not surprised, nor do I see it as a problem. As Alec mentioned, the functionality is often helpful and well received.  One of my favorite examples is ticking complexity rules as they are met. 

 

The bottom line is that when visiting a web site, you are giving that site permission to run their program (javascript) in your browser window.  Their program has access to anything you give it, including keystrokes.  Pretty much the best one can do is to keep the "foreign entity" out of their browser in the first place by doing things like disabling JavaScript (etc.) and disabling phone home.  Of course, doing so tends to cause breakage.

 

The bigger concern to me is that browsers have a history of allowing JavaScript access to things I did not authorize (even if in error), such as the local file system, other browser windows, etc.  Fortunately, browser manufacturers are pretty good about closing these faults as they are found.

 

Do note that I am reacting to the "press enter" question, not the "previous password"  statement.  I would hope that a password-reset site would not divulge any information (including correctness of username/email) until after having validated yourself through some secondary channel (e.g. a "confirmation" email).  If the website in question got that order wrong, I am standing aside CISOScott.

 

P.S.  @rslade, why would you have a problem with knowing something? :-).  

 

 

rslade
Influencer II

> denbesten (Community Champion) mentioned you in a post! Join the conversation

>   P.S.  @rslade, why would you have
> a problem with knowing something? :-).      

Ummmm, sorry, what did I say that you read as meaning I don't want to know
something?

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
If someone is reading, don't talk to them. Because the chances
that you are more interesting than a book are very slim.
- https://twitter.com/SamSykesSwears/status/378971871409995779
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
denbesten
Community Champion


@rslade wrote:
> Does anyone else have a problem knowing ...

Yup.

I was intentionally mis-reading this response with hopes that you would respond "its people like you that cause unrest", at which point, I was going to ask if there is an "unrest" badge.  That said, a joke is not funny if one needs to explain it, so I'll crawl back into my corner.

rslade
Influencer II

> denbesten (Community Champion) posted a new reply in Tech Talk on 08-08-2019

> Yup. I was
> intentionally mis-reading this response with hopes that you would respond "its
> people like you that cause unrest"

You know me too well ...

> at which point, I was going to ask if there
> is an "unrest" badge.

We SHOULD have an "unrest" badge. I'd even be willing to do the judging for Sam
...

(Speaking of the which, where's my "I mentioned Security Congress" badge from
June?)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I once saw a lady in a full mink coat, sparkling with gems,
struggle to understand how to order a sandwich at Subway and it
was so magical.
- https://twitter.com/LaurenDeStefano/status/558009424879824896
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468