Hello and welcome, Recently i noticed to a big security hole that i can say is a problem for all the existing web applications that authenticate their users by asking them to type in their username and password.
I mean, It only takes a few minutes for an attacker to fake an access point (web page, ex: login) to your web site, and force your users to go to that faked access point, I will give an example so it will be more understandabe:
Say i have my web site at: www.realwebsite.com. Existing users need to go through the login page to connect to the web site, and my login page looks like this:
<?php
if (isset($_POST['go'])) {
$username = $_POST['username'];
$password = $_POST['password'];
}
?>
And my Html, (in www.realwebsite.com/login.php):
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Login</title>
</head>
<body>
<form method="post" action="login.php">
<input type="text" name="username"/>
<input type="password" name="password"/>
<botton name="go">Go</button>
</form>
</body>
</html>
And lets say a malicious person want to steal users credentials, he will create a form, identical to my from in my login page and just change the 'action' property on the 'form' tag, it looks like this:
The faked access point page:
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Login</title>
</head>
<body>
<form method="post" action="malicious_faked_accesspoint.php">
<input type="text" name="username"/>
<input type="password" name="password"/>
<botton name="go">Go</button>
</form>
</body>
</html>
The attaker can force an existing user to go to the malicious login page by sending the link in email, or just by creating a blog and put a link to this malicious page inside the blog, once a user go to the malicious page (the user think it is the real web page since it has the same look) and type in the username and the password and click on the 'Go' button - the entered username and password go to the malicious access point server that can get them in the
malicious_faked_accesspoint.php page using the
$_POST array.
The end: The attacker successfully got the username and the password of my users.
And if this is still hard to perform, there are programs that can fake an access point to any web application in less than a millisecond.
This kind of attack is very easy to perform, and i wonder what huge organizations like Google, Facebook are doing against it.
I searched a lot online and found a lot of articles describing the problem, but they are not talking about a possible solution.
The faked login page is on another domain, so the thing that makes the difference between the faked web page and the real web page is the url, but not all the users are understand what goes on the url and why.
I think it is almost impossible to overcome this type of attacks, because my real web server
definitely has no control over the faked access point, and all I will do on the real web page - the fake web page will be with the same appearance as the real web page.
So i put this question here, so other viewers can read and think about that, and if someone didn't know about it - it is good to know this now, especially if you are a web developer.
What I have tried:
Maybe i can tell the users to check the url every time they go to each page on my web site, Ok, i get it. but steel, how they will remember my suggestions and see any difference between the real page and the faked one? (users that doesn't understand urls). Maybe some more practical suggestions?
Submit an article or tip