Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Fortunately, Adida and his team found a solution to the problem that was also easy to implement. Instead of checking the browser window’s location, they suggest checking another attribute: the referrer header. As long as the bookmarklet uses a standard data transfer protocol known as a secure socket layer (SSL), the header cannot be easily forged.

Of the six bookmarklet companies contacted by the research team, five decided to implement the solution: Verisign, MyVidoop, Clipperz, PassPack, and MashedLife. The sixth company opted to warn its customers about the problem instead of fixing it as the researchers suggested.

“It was a very straightforward fix,” says Scott Blomquist, chief technical officer for MyVidoop, of Portland, OR. “It only took a few minutes of developer time.” Blomquist describes the vulnerability as “marginal”–noting that few people use the bookmarklet version of their password manager and that the attack would take some time and skill to implement.

Still, it could potentially expose users to significant financial loss. “It’s unlikely that some attacker has actually done this,” notes Adida, “but if [someone] had, you wouldn’t even know.” A user might notice that his bank account is empty, but it would be hard to figure out how the attack was perpetrated. “At the end of the day, a lot of this security stuff is a bit like selling life insurance. Most users are just not paranoid enough.”

The researchers believe that in the future, there will be an even better solution to the bookmarklet problem: a new browser feature called postMessage. Barth says that the postMessage feature is designed to allow browser windows to transmit information back and forth securely, while accurately confirming the origin of each message. Once this feature is implemented in most browsers, Jackson says, it could be used to transmit passwords between browser frames or windows in a secure fashion.

0 comments about this story. Start the discussion »

Credit: Technology Review

Tagged: Computing, security, Internet, passwords, browser

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me