Avatar for Username

Hilfe durchsuchen

Vorsicht vor Support-Betrug: Wir fordern Sie niemals auf, eine Telefonnummer anzurufen, eine SMS an eine Telefonnummer zu senden oder persönliche Daten preiszugeben. Bitte melden Sie verdächtige Aktivitäten über die Funktion „Missbrauch melden“.

Learn More

Dieses Thema wurde archiviert. Bitte stellen Sie eine neue Frage, wenn Sie Hilfe benötigen.

What can I do to mitigate autofill attacks?

theodore-norvell
theodore-norvell
more options

Is password autofill for Firefox safe against the attacks outlined in 

  https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

Is there a way to make it safer?

Is password autofill for Firefox safe against the attacks outlined in https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/ Is there a way to make it safer?

Ausgewählte Lösung

I don't know how widely this could be used, but one thing is for sure: if you set Firefox NOT to autofill logins, then an attack using an invisible form can't work. With that setting change, instead of having the username and password already in the boxes, you need to click the username box and select the username from a drop-down, and then Firefox fills the boxes. That tested out safe on that article's demo page.

Here's how to change the setting:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste signon and pause while the list is filtered

(3) Double-click the signon.autofillForms preference to switch the value from true to false

Demo page: https://senglehardt.com/demo/no_boundaries/loginmanager/

Diese Antwort im Kontext lesen 👍 2

Alle Antworten (2)

Mkll
Mkll
more options

Try LockBox: https://mozilla-lockbox.github.io/lockbox-extension/

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 10 Contributor
more options

Ausgewählte Lösung

I don't know how widely this could be used, but one thing is for sure: if you set Firefox NOT to autofill logins, then an attack using an invisible form can't work. With that setting change, instead of having the username and password already in the boxes, you need to click the username box and select the username from a drop-down, and then Firefox fills the boxes. That tested out safe on that article's demo page.

Here's how to change the setting:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste signon and pause while the list is filtered

(3) Double-click the signon.autofillForms preference to switch the value from true to false

Demo page: https://senglehardt.com/demo/no_boundaries/loginmanager/