A bit about Yandex Protect
“Even if you click on some link and enter your login and password, then nothing like this will happen” - Yandex browser advertising. How does it work and is it? Looking at this ad, I certainly wondered how Yandex was able to “defeat” such a difficult problem as theft of passwords. I want to note that I considered only one of the functions of Yandex Protect, namely “ Protection against password theft ”.
In short, the principle of the anti-theft password protection mechanism in Yandex browser comes down to checking the value of the input type = “password” field before sending the form to the server. At this moment, the value of this field is compared with the value of the passwords stored in the browser (according to information from Yandex, password hashes are compared). If a match is found, a warning is displayed to the user. The idea is generally understandable, but the effectiveness of this method is questionable.
First of all
This method will not exactly stop the creators of phishing sites, but simply force a little to upgrade the code on the page. There may be many options. For example, to use another input type - only type = password is checked, to put an event handler on the input field, to read the contents with a script and send values to the server in the background, and you can also think up quite a few of them. As an experiment, I upgraded the input type = "password" field according to an algorithm I knew before sending, and restored it on the server.
Secondly
The method implemented in the Yandex browser opens another “door” for attackers. Due to the fact that for the operation of this protection mechanism, the browser compares the typed password with the attackers saved in the browser, it is possible to implement brute force passwords in the background simply by placing a specially prepared script on the site. Such a script should alternately fill in the input type = "password" field hidden from the user with passwords from the dictionary and emulate sending the form to the server in anticipation of protection. The activation of protection will be an indicator that the password is correct. The method has several drawbacks - to search through a large number of passwords, the user must be on the malicious site for a long time; it is not known from which resource the selected password; the user suddenly pops up a window with a warning that may alert him. However, it is still an unpleasant feature.
And thirdly
In my opinion the most unpleasant part. Such advertising instills in users a sense of false security, which essentially reduces the security level of these very users of the Yandex browser.
In short, the principle of the anti-theft password protection mechanism in Yandex browser comes down to checking the value of the input type = “password” field before sending the form to the server. At this moment, the value of this field is compared with the value of the passwords stored in the browser (according to information from Yandex, password hashes are compared). If a match is found, a warning is displayed to the user. The idea is generally understandable, but the effectiveness of this method is questionable.
First of all
This method will not exactly stop the creators of phishing sites, but simply force a little to upgrade the code on the page. There may be many options. For example, to use another input type - only type = password is checked, to put an event handler on the input field, to read the contents with a script and send values to the server in the background, and you can also think up quite a few of them. As an experiment, I upgraded the input type = "password" field according to an algorithm I knew before sending, and restored it on the server.
Secondly
The method implemented in the Yandex browser opens another “door” for attackers. Due to the fact that for the operation of this protection mechanism, the browser compares the typed password with the attackers saved in the browser, it is possible to implement brute force passwords in the background simply by placing a specially prepared script on the site. Such a script should alternately fill in the input type = "password" field hidden from the user with passwords from the dictionary and emulate sending the form to the server in anticipation of protection. The activation of protection will be an indicator that the password is correct. The method has several drawbacks - to search through a large number of passwords, the user must be on the malicious site for a long time; it is not known from which resource the selected password; the user suddenly pops up a window with a warning that may alert him. However, it is still an unpleasant feature.
And thirdly
In my opinion the most unpleasant part. Such advertising instills in users a sense of false security, which essentially reduces the security level of these very users of the Yandex browser.
')
Source: https://habr.com/ru/post/272045/
All Articles