An online banking site which I use, has a \"feature\" which disallows a user fro
ID: 658317 • Letter: A
Question
An online banking site which I use, has a "feature" which disallows a user from pressing Enter to submit a login form. For example, if you have typed your username in the Username field, pressing Enter will show a message "Please click Login to login".
Most users would follow by using the mouse to point and click. However it is actually possible to just press Tab to move the focus to the button, and press Space to submit the form.
1. Do you think "preventing form submit by pressing Enter" or "asking user to use the mouse" is a case of security by obscurity? They aren't using on-screen keyboards though which I believe are supposed to circumvent keyloggers.
2. What sort of attack/threat would this measure be likely to circumvent?
Explanation / Answer
Some banks have JavaScripts that encrypt/hash the data on client-side using for example a public key or a hash algoritm, and then sending it. Submitting the form with ENTER on a computer with JavaScript disabled, would send the details "over the clear" (note: The site might still be SSL-encrypted if it use SSL, but the login details would get sent in clear inside the SSL session so a MITMer would gain access to those as compared to not gaining access to those if JavaScript was Active). Thus a attacker can disable JavaScript to force cleartext transmission, thus removing one speedbump for the attacker, so the attacker only has to deal with SSL instead of SSL+JS encryption. Note that a clear action="" or a non-specified action, would submit the form to the same page as the form. So theres no foolproof way to absolutely disable form submission for a computer with JavaScript disabled.
The bank here has then instead use a input type="button", that calls a JavaScript function, and the input fields, OUTSIDE form tags. This effectively locks down the form to ONLY work over JavaScript. Many customers would then press ENTER, which would not do anything since the input fields are not contained in a form, thus, they just added a Dirty check for enter, and if enter is pressed, they just show a message to use the button.