Page 2 of 2

Re: Dynamic/random field & form names (sparkasse.de)

PostPosted: Mon Feb 07, 2011 4:24 pm
by IMGrant
spacebear Wrote:IMGrant, thanks for your quick reply. Well, I was suspecting that already. I was just hoping that someone would have found a solution to this in the meantime. Maybe something like a page recognition that doesn't take into account the field ID, but the location of the field on the HTML page.

Another thing that's worth mentioning is that upon page load, the keyboard focus is already on the login field. So maybe a simple login<tab>password<enter> input sequence like KeePass does would do the trick (I've been using KeePass before and it works perfectly there).


Ah, I didn't know that about KeePass, maybe there is hope for LastPass if the developers are reading!

Re: Dynamic/random field & form names (sparkasse.de)

PostPosted: Tue Feb 08, 2011 7:24 pm
by Gremlin
Does anyone believe a wildcard in the url portion of the edit entry information box would be of use here?

https://www.login.mybank.com/login/config/*

Where the * replaces the portion of the page url that is random.

I am NOT a coder.

Re: Dynamic/random field & form names (sparkasse.de)

PostPosted: Wed Feb 09, 2011 3:01 am
by spacebear
I'm not sure if I understood you correctly, but the ID we're talking about is not referring to a URL, but to the HTML part of the page where you enter the login information into the fields.

Re: Dynamic/random field & form names (sparkasse.de)

PostPosted: Wed Feb 09, 2011 4:07 pm
by Gremlin
spacebear Wrote:I'm not sure if I understood you correctly, but the ID we're talking about is not referring to a URL, but to the HTML part of the page where you enter the login information into the fields.



Ahh, so it's in the HTML code of the page itself. I thought that somehow they were adding a random number to the url of the page, thus making previous pages obsolete. Thanks!

Re: Dynamic/random field & form names (sparkasse.de)

PostPosted: Thu Feb 17, 2011 4:05 am
by IMGrant
This morning yet another of my financial institutions updated its login procedure to a multi-step one that now also involves random/dynamic field names. Are LastPass working on something that will be able to navigate these fields? It looks like the start of an escalating battle - first browsers offered sites the option to not auto-fill/save passwords, LastPass circumvents that, now sites use random field names, I hope LastPass will be able to solve that too, but then surely some sites will come up with something new. The dreaded Captcha probably...

Re: Dynamic/random field & form names (sparkasse.de)

PostPosted: Thu Feb 17, 2011 4:17 am
by spacebear
I'm starting to wonder what the security benefit is. If it's so insecure with "fixed" field labels, why does everyone else do it?

Re: Dynamic/random field & form names (sparkasse.de)

PostPosted: Sat Apr 09, 2011 2:21 pm
by tlu1024
I'm having the same problem with Fördesparkasse.

Daniel Dawson wrote for me the following script for Greasemonkey that worked for me under Firefox 3.6 but apparently no longer under FF 4. Nevertheless, it might be useful for the Lastpass people to solve this problem.

Code: Select All Code
// Original code copyright (C) 2010 Daniel Dawson
// You may freely copy and modify this code provided this copyright notice is preserved
// verbatim. You may add your own notice(s) below.

// ==UserScript==
// @name           Förde Sparkasse autologin workaround
// @namespace      http://www.icehouse.net/ddawson/
// @description    Works around the login manager countermeasures on Förde Sparkasse's login form
// @include        https://banking.foerde-sparkasse.de/portal/portal/StartenIPSTANDARD?IID=21050170&AID=IPSTANDARD&IFLBSERVERID=IF@@043@@IF&p=p.finanzstatus&a=C
// ==/UserScript==

(function () {
  // Constants for configuration
  const formActionMatch = "LoginIPSTANDARD",  // substring to match in form action
        classNameMatch = "osppformfeldmuss",  // class attribute to match for real form elements
        uidIndex = 0, pinIndex = 1,           // indices of relevant form elements in match
        changebackTimeout = 200;              // time (ms) after which to change field names back

  // Find the form and its controls
  var theForm = document.evaluate(
    '//form[contains(@action, "' + formActionMatch + '")]', document, null,
    XPathResult.FIRST_ORDERED_NODE_TYPE, null).singleNodeValue;

  // Make it autofillable
  theForm.removeAttribute("autocomplete");

  // Pick out the correct fields to be filled
  var inputs = theForm.elements;
  var actualFields = [];
  for (var i = 0; i < inputs.length; i++) {
    if (inputs[i].hasAttribute("class") && inputs[i].getAttribute("class") == classNameMatch)
      actualFields.push(inputs[i]);
    else if (inputs[i].tagName.toLowerCase() == "input")
      // Work around a bug in autofilling: confusing non-hidden text field for username field
      // even though its name doesn't match!
      inputs[i].type = "hidden";
  }

  // Temporarily change the names of the relevant fields so autofill can work
  var uidField = actualFields[uidIndex], pinField = actualFields[pinIndex];
  var realUidFieldName = uidField.name, realPinFieldName = pinField.name;
  uidField.name = "uid";
  pinField.name = "pin";

  // Change the names back after autofill has done its job
  window.setTimeout(
    function (evt) {
      uidField.name = realUidFieldName;
      pinField.name = realPinFieldName;
    },
    changebackTimeout);
})()

Re: Dynamic/random field & form names (sparkasse.de)

PostPosted: Sun May 08, 2011 2:49 pm
by tlu1024
tlu1024 Wrote:I'm having the same problem with Fördesparkasse.

Daniel Dawson wrote for me the following script for Greasemonkey that worked for me under Firefox 3.6 but apparently no longer under FF 4.


I withdraw that statement. The script does work for me. I don't know if it works also for other Sparkassen, though. It might be necessary to modify it.

Re: Dynamic/random field & form names (sparkasse.de)

PostPosted: Sun Sep 09, 2012 3:30 pm
by cmorty
If you adjust the header a bit it should work with most Sparkasse-websites.
Code: Select All Code
@include        https://*.*sparkasse*.de/portal/portal/*