Browser Shim Password Theft Risk

TL;DR

Yes, a malicious shim (polyfill) can be installed in Internet Explorer, Firefox, or Chrome without the user’s explicit knowledge and potentially read passwords entered on login pages. This is a serious cyber security risk, but requires exploiting vulnerabilities or tricking users into installing compromised software/extensions.

How Shims Work

Shims are pieces of code that provide compatibility for older features in newer browsers. They ‘fill in’ gaps where browser support is lacking. They work by intercepting and modifying JavaScript calls. This power, if abused, can be used to steal data.

Can a Shim Be Installed Without User Knowledge?

1. Compromised Extensions/Add-ons: The most common method. Attackers create browser extensions that appear legitimate but contain malicious shims. Users unknowingly install these, granting them access to their browsing data.
   Mitigation: Only install extensions from trusted sources and review permissions carefully.
2. Malicious Software: Malware can inject shims directly into the browser process or modify existing files.
   Mitigation: Use reputable antivirus software and keep your operating system updated.
3. Man-in-the-Middle (MITM) Attacks: An attacker intercepts network traffic and injects malicious JavaScript code, including a shim, before it reaches the browser.
   Mitigation: Use HTTPS websites whenever possible and avoid public Wi-Fi networks without a VPN.
4. Exploiting Browser Vulnerabilities: Rare but possible. Attackers can exploit security flaws in the browser to inject shims directly into memory.
   Mitigation: Keep your browser updated with the latest security patches.

Can a Shim Read Passwords?

Yes, if installed successfully, a shim can potentially read passwords entered on login pages. Here’s how:

1. Intercepting Form Submissions: Shims can hook into the JavaScript event handling for form submissions. They can capture the data before it’s encrypted and sent to the server.

   document.addEventListener('submit', function(event) {
     const form = event.target;
     const passwordField = document.querySelector('[type="password"]');
     if (passwordField) {
       const password = passwordField.value;
       // Send the password to a malicious server.
       console.log('Password intercepted:', password);
     }
   });

2. Accessing DOM Elements: Shims can directly access and read the values of input fields, including password fields.

   const passwordField = document.getElementById('password');
   if (passwordField) {
     const password = passwordField.value;
     console.log('Password from DOM:', password);
   }

3. Keylogging: More sophisticated shims can implement keylogging functionality to capture keystrokes as they are typed, including passwords.
   Note: This is more complex and requires deeper system-level access.

Browser Protections

• Content Security Policy (CSP): Helps prevent the execution of malicious scripts from untrusted sources.
• Subresource Integrity (SRI): Ensures that downloaded JavaScript files haven’t been tampered with.
• Sandboxing: Isolates extensions and web content to limit their access to system resources.
• Same-Origin Policy: Restricts scripts from accessing data from different domains.

What You Can Do

1. Keep Your Browser Updated: Regular updates include security patches that address vulnerabilities.
2. Use Strong, Unique Passwords: Makes it harder for attackers to compromise your accounts even if they steal a password.
3. Enable Two-Factor Authentication (2FA): Adds an extra layer of security beyond just a password.
4. Be Careful What You Install: Only install browser extensions and software from trusted sources. Review permissions before installing anything.
5. Use Reputable Antivirus Software: Helps detect and remove malware that could inject malicious shims.