Design Flaws Make All Browsers Vulnerable, Black Hat Speaker Says

LAS VEGAS, NEVADA -- Black Hat USA 2010 -- If you ask Jeremiah Grossman, no Internet browser application is truly safe.

Grossman, CTO of Whitehat Security, described a series of browser design flaws in a presentation here last week. Internet Explorer 6 and 7, Safari, Firefox, and Google Chrome all showed some exploitable weaknesses, he said.

"These are not just application vulnerabilities that can be patched on the next rev," Grossman said. "These are basic design flaws."

In several cases, Grossman demonstrated how attackers can use the "auto-fill" and "auto-complete" features in several browsers to trick the browser into giving up personal information and password data from the user.

In other cases, he showed how cross-site scripting flaws can be used to gain access to the password manager features in Chrome and Firefox. A final demo described a method for swiftly evicting cookies from Firefox, making it easier to attack.

After so much browser research, does Grossman recommend one over the others? "IE 8 is technically secure, but it's targeted because it's so widespread," he said. "Firefox is not bad, but I outlined some design flaws in my talk. Chrome is also pretty good, but it comes with what amounts to Google spyware, and there's no sandbox."

Depending on what they're doing, some users may benefit from using more than one browser, taking advantage of the relative security capabilities of each, Grossman said. "One of my key points was just to get people away from using IE 6 and 7," he said. "There are still a lot of users of those out there."

Some users may want to think twice before using password manager features, too, Grossman says. "It's a pain to write them all down, but if your password manager is compromised, that can be a big problem," he said.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.