Clover13 Posted March 1, 2017 Posted March 1, 2017 Hey guys and gals, I'm running a 3.4.9 instance (I know, OOS in April) and came across an issue today where the site's skin creator's website appears to be either hacked or they updated their security and it's resulting in prompting for Windows login credentials to access the site. Their skin included a JS that embedded their logo and website address for credit, and as a result began to show this Windows login credential popup on my site when attempting to load said image. I removed the offending code, and notified my users to update their Windows passwords if they accidentally entered it on the site. I do not have a sense of how long this issue existed, nor the tue scope of it, hence why I am posting here. Mitigation time was about 5-10 minutes from when it was reported. The other aspect of this is that the popup only appeared on Microsoft Edge, but not on Firefox nor Chrome. One other user reported he got a popup on Safari. My main concern is that when reviewing the Developer Console Debug in Edge, I could see it was blocked because it was attempting to send credentials over Basic Auth. Edge stopped it and rendered a popup to verify, while Firefox and Chrome did not. Did FF/Chrome silently block this, or could they have possibly silently sent the Windows credentials automatically over Basic Auth? Hoping someone here can give me some insight to scope this out.
Colonel_mortis Posted March 1, 2017 Posted March 1, 2017 Basic auth is just a way of the server asking for a username and password. It doesn't have any mechanism for specifying that the user's computer's password should be sent, and in fact there is no way for the browser to access the windows password anyway. If no login box was displayed, or the login box was dismissed, there is no chance of any information being leaked; if (and only if) they did enter anything into that box and submit it, there is a chance that it was being stored, so they should take the appropriate actions. I am surprised that the other browsers didn't prompt for it though, since I have seen it happen with images.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.