Dynamic/random field & form names (sparkasse.de)

A list of problematic websites and workarounds to make them work

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

Re: Dynamic/random field & form names (sparkasse.de)

Postby IMGrant » Mon Feb 07, 2011 4:24 pm

spacebear Wrote:IMGrant, thanks for your quick reply. Well, I was suspecting that already. I was just hoping that someone would have found a solution to this in the meantime. Maybe something like a page recognition that doesn't take into account the field ID, but the location of the field on the HTML page.

Another thing that's worth mentioning is that upon page load, the keyboard focus is already on the login field. So maybe a simple login<tab>password<enter> input sequence like KeePass does would do the trick (I've been using KeePass before and it works perfectly there).


Ah, I didn't know that about KeePass, maybe there is hope for LastPass if the developers are reading!
IMGrant
 
Posts: 26
Joined: Thu Sep 10, 2009 9:31 am

Re: Dynamic/random field & form names (sparkasse.de)

Postby Gremlin » Tue Feb 08, 2011 7:24 pm

Does anyone believe a wildcard in the url portion of the edit entry information box would be of use here?

https://www.login.mybank.com/login/config/*

Where the * replaces the portion of the page url that is random.

I am NOT a coder.
Gremlin
 
Posts: 5
Joined: Tue Feb 08, 2011 3:37 pm

Re: Dynamic/random field & form names (sparkasse.de)

Postby spacebear » Wed Feb 09, 2011 3:01 am

I'm not sure if I understood you correctly, but the ID we're talking about is not referring to a URL, but to the HTML part of the page where you enter the login information into the fields.
spacebear
 
Posts: 8
Joined: Mon Feb 07, 2011 1:53 pm

Re: Dynamic/random field & form names (sparkasse.de)

Postby Gremlin » Wed Feb 09, 2011 4:07 pm

spacebear Wrote:I'm not sure if I understood you correctly, but the ID we're talking about is not referring to a URL, but to the HTML part of the page where you enter the login information into the fields.



Ahh, so it's in the HTML code of the page itself. I thought that somehow they were adding a random number to the url of the page, thus making previous pages obsolete. Thanks!
Gremlin
 
Posts: 5
Joined: Tue Feb 08, 2011 3:37 pm

Re: Dynamic/random field & form names (sparkasse.de)

Postby IMGrant » Thu Feb 17, 2011 4:05 am

This morning yet another of my financial institutions updated its login procedure to a multi-step one that now also involves random/dynamic field names. Are LastPass working on something that will be able to navigate these fields? It looks like the start of an escalating battle - first browsers offered sites the option to not auto-fill/save passwords, LastPass circumvents that, now sites use random field names, I hope LastPass will be able to solve that too, but then surely some sites will come up with something new. The dreaded Captcha probably...
IMGrant
 
Posts: 26
Joined: Thu Sep 10, 2009 9:31 am

Re: Dynamic/random field & form names (sparkasse.de)

Postby spacebear » Thu Feb 17, 2011 4:17 am

I'm starting to wonder what the security benefit is. If it's so insecure with "fixed" field labels, why does everyone else do it?
spacebear
 
Posts: 8
Joined: Mon Feb 07, 2011 1:53 pm

Re: Dynamic/random field & form names (sparkasse.de)

Postby tlu1024 » Sat Apr 09, 2011 2:21 pm

I'm having the same problem with Fördesparkasse.

Daniel Dawson wrote for me the following script for Greasemonkey that worked for me under Firefox 3.6 but apparently no longer under FF 4. Nevertheless, it might be useful for the Lastpass people to solve this problem.

Code: Select All Code
// Original code copyright (C) 2010 Daniel Dawson
// You may freely copy and modify this code provided this copyright notice is preserved
// verbatim. You may add your own notice(s) below.

// ==UserScript==
// @name           Förde Sparkasse autologin workaround
// @namespace      http://www.icehouse.net/ddawson/
// @description    Works around the login manager countermeasures on Förde Sparkasse's login form
// @include        https://banking.foerde-sparkasse.de/portal/portal/StartenIPSTANDARD?IID=21050170&AID=IPSTANDARD&IFLBSERVERID=IF@@043@@IF&p=p.finanzstatus&a=C
// ==/UserScript==

(function () {
  // Constants for configuration
  const formActionMatch = "LoginIPSTANDARD",  // substring to match in form action
        classNameMatch = "osppformfeldmuss",  // class attribute to match for real form elements
        uidIndex = 0, pinIndex = 1,           // indices of relevant form elements in match
        changebackTimeout = 200;              // time (ms) after which to change field names back

  // Find the form and its controls
  var theForm = document.evaluate(
    '//form[contains(@action, "' + formActionMatch + '")]', document, null,
    XPathResult.FIRST_ORDERED_NODE_TYPE, null).singleNodeValue;

  // Make it autofillable
  theForm.removeAttribute("autocomplete");

  // Pick out the correct fields to be filled
  var inputs = theForm.elements;
  var actualFields = [];
  for (var i = 0; i < inputs.length; i++) {
    if (inputs[i].hasAttribute("class") && inputs[i].getAttribute("class") == classNameMatch)
      actualFields.push(inputs[i]);
    else if (inputs[i].tagName.toLowerCase() == "input")
      // Work around a bug in autofilling: confusing non-hidden text field for username field
      // even though its name doesn't match!
      inputs[i].type = "hidden";
  }

  // Temporarily change the names of the relevant fields so autofill can work
  var uidField = actualFields[uidIndex], pinField = actualFields[pinIndex];
  var realUidFieldName = uidField.name, realPinFieldName = pinField.name;
  uidField.name = "uid";
  pinField.name = "pin";

  // Change the names back after autofill has done its job
  window.setTimeout(
    function (evt) {
      uidField.name = realUidFieldName;
      pinField.name = realPinFieldName;
    },
    changebackTimeout);
})()
tlu1024
 
Posts: 11
Joined: Sat Apr 09, 2011 2:15 pm

Re: Dynamic/random field & form names (sparkasse.de)

Postby tlu1024 » Sun May 08, 2011 2:49 pm

tlu1024 Wrote:I'm having the same problem with Fördesparkasse.

Daniel Dawson wrote for me the following script for Greasemonkey that worked for me under Firefox 3.6 but apparently no longer under FF 4.


I withdraw that statement. The script does work for me. I don't know if it works also for other Sparkassen, though. It might be necessary to modify it.
tlu1024
 
Posts: 11
Joined: Sat Apr 09, 2011 2:15 pm

Re: Dynamic/random field & form names (sparkasse.de)

Postby cmorty » Sun Sep 09, 2012 3:30 pm

If you adjust the header a bit it should work with most Sparkasse-websites.
Code: Select All Code
@include        https://*.*sparkasse*.de/portal/portal/*
cmorty
 
Posts: 1
Joined: Sun Sep 09, 2012 3:24 pm

Previous

Return to Workarounds For Problematic Logins

Who is online

Users browsing this forum: No registered users and 11 guests