|
Wordle 850 3/6
🟩🟨⬛⬛⬛
🟩⬛⬛🟨🟨
🟩🟩🟩🟩🟩
Ok, I have had my coffee, so you can all come out now!
|
|
|
|
|
Wordle 850 3/6
⬜⬜⬜⬜⬜
🟨🟨⬜🟩⬜
🟩🟩🟩🟩🟩
"A little time, a little trouble, your better day"
Badfinger
|
|
|
|
|
I just tried to pay my health service premium online. The health servive's payment service requests an email address and password. It also has an option to choose one of your previously used logins. I was horrified to see it cough up website urls, Login IDs, AND passwords over the past I do not know how many years. Unbelievable!
Update: Upon further inspection as Richard points out below this list of logins is coming from the browser, not the website. I use mostly FireFox. The list pops out even on my own website, BirdBuffs, and it is definitely not from my own code. Also Edge is doing something similar, probably Chrome as well. No doubt safe for now, at least until the bad guys hack it.
|
|
|
|
|
How is this a Windows security problem?
"the debugger doesn't tell me anything because this code compiles just fine" - random QA comment
"Facebook is where you tell lies to your friends. Twitter is where you tell the truth to strangers." - chriselst
"I don't drink any more... then again, I don't drink any less." - Mike Mullikins uncle
|
|
|
|
|
Member 10798832 wrote: one of your previously used logins
Agreed with jeron. How do you think it works? Is this not just the browser letting you pick from previous logins it knows about?
|
|
|
|
|
Correct me if I am wrong, but the web app executing in the browser on your machine extracts the login information from your system, uploads it to the web server, renders it on the page, and posts the page back to your browser. Thus the app running on the server can do whatever it wants with the information. Not only that but this data is broadcast in the clear over the Internet!
|
|
|
|
|
No, that's all handled locally by the browser. It never leaves your system.
|
|
|
|
|
Quote: It never leaves your system
I am afraid you are wrong! See my entry below.
Ok, I have had my coffee, so you can all come out now!
|
|
|
|
|
Right. Your profile data is synched with MS's servers so it can be brought back and shared across whatever devices you let it. That's all under your control. Most of these things have switches so it can be turned off.
OP was under the mistaken impression all of that data was being shared with whatever site you're connecting to, which is clearly not the case.
And FWIW, most browsers do something similar. So do password managers. On all OSes. On all devices. None of that is a "major breech [sic] in Windows security" until, y'know, there's an actual breach to speak of.
Which is why I tend not to let anything sync stuff online, but not for the reasons OP was thinking of.
|
|
|
|
|
Also a payment service will be using HTTPS so anything sent is encrypted.
|
|
|
|
|
Right. It is encrypted during communications over the Internet. But not once it gets to the host server.
|
|
|
|
|
No, The browser keeps all the login details that you have told it to save. If you want to tidy it up then go to the browser's settings page where you can delete any outdated details.
|
|
|
|
|
I reckon it could work both ways; data can be bound either at the client machine or at the server. The site I mention here obviously had access to the system files on my PC, extracted saved login information which was not encrypted, and then if they so desired could easily upload to their server.
|
|
|
|
|
You misunderstand how browsers work. Login and password data may be saved by the browser, under your direction. That information is encrypted and stored in the browser database on your client system. There is no way the browser can pass that back to the server unless you write some code to do it. If you also tell the browser to make that information available through other devices then it will transmit it securely via your account with the browser provider.
|
|
|
|
|
This.
I challenge OP to put together a web page that'll surface my browser's credentials as claimed.
|
|
|
|
|
That is the point. If I can write some code to send login data back to the server then the particular site I mentioned can do it and others could do it as well. As I pointed out it gives you a list of sites you have saved logins for along with login IDs and passwords, not encrypted.
|
|
|
|
|
Member 10798832 wrote: saved logins for along with login IDs and passwords, not encrypted. On the contrary they are encrypted, and stored on your PC. And the only time a web page can get access to these details is when you select them to login. So if you go to www.Istealyourdata.com, and it asks for your login details, what are you going to do?
|
|
|
|
|
Yes! You are correct! A couple of weeks ago, I had the occasion to clean my system's drive using Diskpart, Then I did a complete clean install of Windows 11. As soon as Windows was up and running, it synched with Microsoft's servers and everything was back: All my desktop icons, browser shortcuts AND all my old login information for dozens of websites - user names and passwords. This information must have been stored on Microsoft's servers. How else could it magically re-appear in my system?
Ok, I have had my coffee, so you can all come out now!
modified 17-Oct-23 8:59am.
|
|
|
|
|
Log into Chrome on Linux. Then log into Chrome on, say, an Android phone. All your Chrome config data is brought back in the way you've just described.
Oh noes, now both Linux and Android have a "major breech" too! M$'s bad software design truly has no bounds!
[Edit]
I have no idea whether you're being sarcastic.
|
|
|
|
|
Cp-Coder wrote: This information must have been stored on Microsoft's servers. Yes, it is stored in your Microsoft account in the cloud.
|
|
|
|
|
Interesting discussion.
Browsers definitely can store user/password information as associated in a URL on the local machine.
Far as I know this is the default.
Edge
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-password-manager-security
Chrome
Manage passwords - Computer - Google Chrome Help[^]
As noted another post those stay on the machine. The information (the list) is not sent to the site. Rather the browser is smart enough to fill it in. I have used browser dev tools enough that I would have seen this if it was the case. I have been using browser dev tools for years (more than a decade.)
Now whether it can happen across devices is different. But it is possible. Far as I know however it is not on by default. Someone needs to have checked a box somewhere before this happens.
Edge
https://stackoverflow.com/questions/75677133/clear-cloud-saved-passwords-microsoft-edge[^]
Chrome
Use passwords across your devices - Computer - Google Account Help[^]
That said however I kind of doubt that the browser is what is sharing this data. Rather it is something else. And the browser just is able to use it after it happens.
|
|
|
|
|
I hope you are right. Nonetheless freaks me out.
|
|
|
|
|
If you don't trust your browser then switch the feature off. Just tell your browser never to save password details and you can stop worrying.
|
|
|
|
|
It looks like WinAmp finally has all of their properties in order, and is being properly developed: Winamp. That took a while!
|
|
|
|
|
It took a long time, but I got the new version about 2 months or so ago and like it.
Although the appearance hasn't changed much.
I don't think before I open my mouth, I like to be as surprised a everyone else.
PartsBin an Electronics Part Organizer - Release Version 1.3.0 JaxCoder.com
Latest Article: SimpleWizardUpdate
|
|
|
|