Slashdot Mirror
Firefox 2.0 Password Manager Bug Exposes Passwords
zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."
...secure by design!!
is that just for FF2.0 or below ?
...as though millions of Firefox users were laughing at IE users, and were suddenly silenced.
Cue "still more secure" arguments now.
Now that its 2006, can we now use a better form of "authentication" than a few ascii characters?
Every website wants you to have a password. You know, for important stuff like making a purchase because you use a password for a purchase at a brick and mortar store, right?
Well, since its a good practice to use unique passwords, and users get forgetful, then they use the web browser tool to store their passwords, then they forget their passwords, and when they use another computer or update their existing one, their tool does not work, and if it does work, then the browser gives away your passwords.
I don't use a password to get into my home, I don't start my car with a password, I don't use a password to get into my work. In fact, I don't even have a key for my work, server room, nothing (RFID). But all day at work, these programs continually ask for my password to the point that I dont consider my password secure because I have to change it, and use it so much, I'm desensisized (sp?) and say who cares?
Can we get over passwords soon?
People actually let their browsers remember their passwords? I have never trusted my browser that much.
The masses are the crack whores of religion.
Stopgaps solutions are not a solution, I guess they're planning a 2.0.1 soon? The bug has been reported 10 days ago...
Firefox 2.1 released, with new and improved stability, affordability, portability, extendability, pluginability, and securability.
The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain.
Worst idea ever. The question isn't why wasn't this discovered earlier, but who decided this was a good idea in the first place?
What?
According to the Bugzilla link, this bug is also present in pre 2.0 releases of Firefox, and IE 6/7.
So much for me being smug about going back to Firefox 1.5!
A pizza of radius z and thickness a has a volume of pi z z a
...using Microsoft Internet Explorer. AAaaaaaaaaaaaargh!
If you mod me down, I shall become more powerful than you could possibly imagine.
It is absolutely shocking that such a serious bug would be discovered in Firefox. This is why I was reluctant to upgrade to 2.0 when it first came out. Sadly, I bit the bullet and upgraded anyways.
Unfortunately, the dev team has shown its fallibility in one of the most idiotic ways possible. If they resolve the problem quickly, they may be absolved of their negligence. Otherwise, it will be difficult to continue advocating for Firefox as vocally as I have in the past.
Pax Digitalia
A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability
I used that one on my girlfriend. I believe it's also called the "Dirty Sanchez".
The theory of relativity doesn't work right in Arkansas.
Why didn't he just code it right to start with
>:(
My feeling is, people who rely on "password managers" get what they deserve when their passwords end up in the wrong hands. It's generally just a bad idea to store passwords anywhere but your head.
+0 Meh
RTFA?
The hell, you say.
'Tis slashdot, bucko:
No read-read today.
Always for good suds we pray.
Burma Shave
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
It also took me a while to figure out how to remove the close button from each tab. The tab scrolling "feature" was also a point of great annoyance that took up more of my time to find a fix.
In short I'm just not jumping for joy over FF. This new flaw happens to come to light the day after I search Google for a way to manually add userids and passwords to the FF DB (any ideas?). This was to address the problem of FF not picking up some text fields as userid and password fields. One solution I found was RoboForm, though I'm not sure I want to pay for what I think should be a fairly easy thing to do inside FF. FF is getting better but personally I'd rather be using Mozilla 1.7.x.
I love firefox and am very thankful for it being opensource but I loathe how Mozilla chooses to track and report bugs. I have been going around for days and could've been exploited - possibly but not probably - instead of being able to take appropriate measures to protect myself. It's not like this was some little secret the code was already out in the wild to do it. I find this security through obscurity in opensource projects absolutely disgusting. While we are possibly getting compromised they are sitting on their hands. We, the community, are here to quickly fix problems like these too. Thousands of developers could've and would work on this who the bug was hidden from. This makes the development process absolutely useless...
I thought the rule of thumb for any user-created content was to never allow freeform html? You either let them control their formatting with a separate markup (like BBCode), or you limit them to specific tags (like they do here). In neither of these situations is this exploit possible.
Allowing full html coding, including embedding java or javascript, is an invitation for the unscrupulous. That's one of the 500 reasons I can think of to never visit a website like myspace.
That said, much like language, the web is defined by its users. While I don't feel like it's Firefox's responsibility to fix issues like this, they'd do best to be aware of it. It wouldn't be a bad idea at all to tie password remembering to the exact url (at least everything up to the "?") by default.
Money I owe, money-iy-ay
If you have 50-100 passwords at various sites, established over years, there's really a shortage of other good options. You can go the old-school route and just write them all down on a pad of paper, or the slightly more sophisticated route and put them in a text file or encrypted database on your local machine, but that doesn't help you when you want to log into a site from another machine.
I was disappointed to hear of this vulnerability, because I use Google Browser Sync pretty heavily for keeping track of cookies and trivial passwords, and to be honest I'm not really sure what I'd do without it. More important passwords I keep in an old Palm Pilot using a GPLed password-management and generation program on it, but recalling passwords from it is a pain (takes several minutes to get Palm out, type in master password, etc.).
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
That is disturbing to me since I use FF2 to store many of my passwords. However, I don't store passwords for more critical sites, like my bank's website. I recommend others do the same.
I am still using FF1.5 because of all the problems with 2.0. Not just bugs like these, although they are disappointing, but reports of the ever present memory leak and the annoying revamps to the tabs bar. Then again, I am eagerly looking forward to upgrade to a better version so I can get some of the improvements, like crash restoration.
I'm running 1.5 and the exploit worked for me.
I stole this Sig
FireFox is OpenSource so it is impossible for it to have bugs let alone secuirty problems. Only Windows has security problems. Buy a Mac - it has no problems and is perfect.
Does anyone know if this attack is possible on Opera? Opera's wand has been around longer than FireFox has, so I'm kinda curious. It seems like something people could exploit in more than just FireFox.
FanFictionRecs.net
An where's the patch for this? If the bug was hidden from all, then why would they go public with it without a patch? And why would they hide it in the first place? Open source developers could have submitted patches already!
There is a neat little piece of javascript at http://www.xs4all.nl/~jlpoutre/BoT/Javascript/Pass wordComposer/ that lets you just think up a master password in your head and then use this applet to automatically generate a site-specific, unique hash and fill in the password field automatically. This way you can remember the passwords easily, you never have to save them or write them down. And if one site gets compromised, that password (the hash) won't work with any other site. The drawback is that if you don't have this piece of javascript then you can't get into your sites.
Thought until now of multiple personality but mystery solved! It was just my browser!...
PS: I shall not be held accountable for ANY of my comments...
After reading TFA and the bugzilla report it sounds like this bug does not allow ANY password stored in the password manager to be stolen as some people seem to be assuming. It sounds like only passwords for sites that allows user generated HTML to contain input fields are at risk.
Does anyone know if Konqueror (using KDE Wallet) is affected? And what about other browsers, like Opera, Epiphany, and so on? I'd just like to know how common this type of exploit is.
Remember the Java ring? It had a processor and stored the private key in a tamper resistant case (erases instantly when case is compromised). PC programs would ask the Java ring to sign things. A virus could get bogus signatures while it was connected, but couldn't compromise the key. Unfortunately, it used a funky "One Wire" adaptor to get power and talk to a PC. If only they would reintroduce it in a USB format!
IDIOT. IE6, IE7, FF1.5, FF2.0, Opera all affected. So what browser is someone like you using up their on your high fucking horse?
... this is just because IE6/7 have poor compatibility with the rest of the world. They can't even support the exploits, anymore, honestly.
OK, jokes aside, someone just released an exploit into the wild which *can't work on IE*. And they presumably still thought they were going to get something of value on it. Hiya, FireFox, welcome to the "visible enough to be a target" club. And it only gets worse. I hope your million bug finding eyes are bright and perky because it only gets worse and it never, ever stops.
Help poke pirates in the eyepatch, arr.
...IE 6 is such shite, you' WANT to walk away...
While I agree FF should alert the user, this is not a hole in FF's security architecture. Its rather a software level bug. Moral of the story: 1. don't be lazy and ask your browser to remember your password. 2. if you insist to be lazy, store passwords only for trivial web accounts.
I never have Firefox nor any browser for that matter keep passwords to information that might comprimise my identity. Unless identity thieves want to play sockpuppet with a forum account I don't think theres anything of interest. If people used common sense and not remember extremely important passwords like the one for your PayPal account you would never hear of this kind of problem being a problem.
DEERPARK 1.5.0.4 is also vulnerable - based on firefox 1.5
No big deal. Since I use Thunderbird to check my email, and I don't pay for anything, there's nothing worth stealing. "OH NOES! SOMEONEZ HAX0R3D MY YTMND PASSWORD! T3H W0R1D IS 3ND1NG!!!!!!111one1" Seriously, all my important passwords (such as my Slashdot password), are stored in the most important place available: my brain. I figure, "If I can't remember the password for this site, this site is obviously inferior and not worthy of my attention!"
I don't get why posts are limited to 120 characters. Seems unreasonable to me. I mean, just because I like having a real
If you have form autocomplete on, credit card numbers are stored in plaintext on your hard disk too. Bug's been open for .. what about 4 years now.
They refuse to fix it, they say it's not a bug.
I don't think it's vulnerable to this because it's not fully automatic, however, all someone has to do to get your credit card number is type the first digit and it'll fill in the rest.
Their advice, "Don't use autocomplete".
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Though to be clear exactly it will only forward form input to URLs that appear in form inputs on the same site (domain, that is.) Like the article says, it will only allow say a myspace user to steal your myspace password, he won't be able to steal passwords from other domains, though he will be able to use a non-myspace site to collect the stolen information and that's the bigger portion of the problem. I don't know whether I would classify this *only* as a bug in the browser, rather also a bug in the websites for allowing users of the websites to output form HTML tags that don't reference back into the CMS.
In any case, it should be fixed in *both* places -- a lot of wikiware probably also has the potential to allow this exploit, and should be fixed not to. In addition to fixing browsers to check the form URL before autofilling, restricting autofilling form inputs to same-page on the browser side would be a good option to have for the paranoid, but I'm betting it will break a lot of sites ("break" as in require the password to be put in a whole lot of times) that take login information in from more than one URL.
Someone had to do it.
i'm using firefox 2.0 on linux, first my popup blocker would allow the site to open when i clicked on the video like the instructions said, then when i allowed it i just got youtube.com?
"if i'd known it was harmless, i'd have killed it myself"
Just remember your freaking passwords in your head, is it that hard?
I for one only use the browsers store password feature for the most trivial of sites. For more important sites, I use Password Safe. The program and the database fit easily on a thumb drive, and requires a master password to access. It has a user configurable time out, and a double click on an account copies the data to the clipboard for later use, allowing you to foil keyboard based sniffers.
IANAL... But I play one on
OpenID seems to be the right approach to this. Login once (Passport-like), but to your own server -- it could be a password, a key exchange, whatever, the idea is to produce some sort of session cookie that your server can check. You can login to any other site, but through a process which doesn't give that site any kind of credentials to use on other sites, and you can restrict which sites may check your identity at all.
I'm not sure how this would protect against this kind of vulnerability, but I am convinced it's the right approach, overall, to authentication.
Don't thank God, thank a doctor!
You're actually having a better experience than many people.
About a year ago I helped my father-in-law switch to Firefox. He recent decided to try Firefox 2.0, but had a lot of problems with it. One was that it made his computer slow down a lot. So on the weekend when my wife and I went to visit, I took a look at his PC. Sure enough, it was terribly slow when using Firefox.
See, he has a machine with "only" 512 MB of RAM. What did Firefox do? According to Task Manager, it was consuming 1896 MB of RAM. I remember the number exactly, as it was 100 years before my son was born. Sure enough, the machine would thrash to a terrible extent. I removed all traces of Firefox, and reinstalled it. No third-party plugins were used, yet we found the exact same problems.
Our final solution was Opera. Unlike Firefox, he reports that it hasn't measured above 35 MB of RAM consumption.
Here is a quick clarification about Internet Explorer 6/7.
5 426
The attack at MySpace worked against IE users because many were lured into typing their passwords into a form. I saw this in action. It was almost indistinguishable from the legitimate version.
The Bugzilla reference to IE 6/7 was not a comment on the info-svc proof, but the proof at
https://bugzilla.mozilla.org/attachment.cgi?id=24
That form does some interesting things in both browsers, but it does not reflect a normal client/server situation. IE's password manager behaves differently from Firefox when dealing with forms on more than one page, as in the info-svc proof.
In my opinion, both browsers should raise a warning when a cross-site form is loaded, or have that option.
Enjoy
Robert Chapin
Chapin Information Services, Inc.
WINDOWS, this is a WINDOWS bug that manifests using the WINDOWS application "firefox".
How about it? Can we admit that mozilla is a microsoft partner company yet?
The devs working on the "anything but windows" browsers
associated with mozilla, inc. need to FORK, then CHANGE THE NAME AS SOON AS POSSIBLE, and get away from associating with the WINDOWS product. You can't even get a tech site like slashdot to EVER notice there is a difference, so it needs to be made more clear. New name-fork-let the windows doofuses and MS apologizers go do their thing, stop supporting MS products! Just like Novell needs to be boycotted, mozilla products on windows needs to be boycotted, there's no difference.
I use Windows Vista hahah suckers
The anonymous message board technology behind 2chan.net, for example, is almost five years old, and yet I've never seen more than a half-dozen English language forums take advantage of it.
I'm using Opera 9.02 under Linux (Kubuntu 6.10), and could not get the proof-of-concept to work with Wand (Opera's Password Management). I don't think this would be much of an issue with any browser, though, if people would just use some common sense and not store passwords for important things like online banking. While it might suck to have someone exploit this for your Slashdot account and start trolling using your UID, it would be nothing more than an inconvenience. Online banking and credit card transactions, on the other hand, would be major problems. So really, this is a non-issue if you are already a security-minded person. The question: How many normal users are security-minded? The answer is, unfortunately, rather obvious, I think.
"We may face a scorched and lifeless earth, but they're accountable to their shareholders first."
If you are falling back on a single password, then that password can be ridiculously secure. I use a big diceware password http://world.std.com/~reinhold/diceware.html, along with a keepass database http://keepass.sourceforge.net/ Assuming that we arent dealing with keyloggers, that is perfectly secure. ...first post
Opera, my one true love... I shall never leave thee.
I have MS password management to control access to my Firefox password manager.
Phew!
668: Neighbour of the Beast
I have two types of passwords: The ones for fluff sites, like Slashdot, Wikipedia, hotmail (a.k.a. Spam box), and so forth, which usually get 1 of 2 passwords. Then for banks and credit cards and what have you, I use real passwords with different ones for each site.
I could care less if someone hacks my Slashdot account or my wikipedia account. The worst thing they can do is vandalize under my name. And as for hotmail, they can have my spam. And were I to have a myspace account, I could care less if someone got that too.
Fortunately, my bank and credit card companies don't allow others to create their own pages, so I'm not too concerned. I suspect this will get fixed long before it becomes a concern for me.
My bank doesn't provide user created content! ...
When will people learn to read?
I was poking around a few days ago trying to get a userContent.css file to use a local filesystem png file as a background, without having to resort to huge data: URIs.
Eventually I'd thrown enough random ideas at the problem that I ended up finding out about this nightmare waiting to happen. Just for kicks I tried putting some code in the CSS to alert() all the (supposedly hidden) password values on the page. It worked.
They're just using MD5, which you could reproduce on any computer. In fact, that's how I generate _all_ my passwords:
echo "user:domain:iteration:masterpass" | binary hash | base64 | take first 16 characters
It's a simple algorithm which you don't need to keep secret. Also, you can write down the made-up user/domain/iteration triplets. All you need to keep secure is the master password. Thanks to the iteration, you can lose a generated password without affecting the secrecy of your master password or all the other passwords.
A simpler version would be to take the ASCII hash directly as a password. However, using a binary hash and base64-encoding it allows you to cram more entropy per character into the resulting password.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
They took out the "load images from the originating site only". That was the only safe way I could surf fark.com at work, since forum posters just LOVE to post not-work-safe images. That, and I worry about someone posting an image from a porn site, and the firewall logs would be on me.
I don't mind that the program allows me to be stupid. Big deal...... I do mind however things like drive by hacks, (via activeX) cross-site scripting (ala JavaScript) etc. But do I expect the browser to be my mommy.... NO As for the supposed FF memory leak. That isn't the one that should affect you the most.... Cerebellum Memorus Diareatalis should.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
I have well over 100 passwords memorized. I have all my friends phone numbers memorized, too.
How do I do it? The same way people did it before PIMs, smart phones, and password managers.
I use them. It's called reinforcement and it works.
But mentally lazy people don't know that, because they won't try.
I tried the test in the link provided through the article and I passed it as I was using Konqueror (3.5.5). Ahh, now I am relieved that I can not be maliciously attacked...for now!
PassPet is a nifty looking extension that hasn't actually been developed. Would help with this problem, as you have to actually click a button to fill in your password.
GOOD JOB, all you Open Source Programmers: I couldn't be more proud of you :)
:)
Thanks!
Unsigned, for obvious reasons
Truth is, there's only a few skilled programmers writing the code... and the vast majority of those that use it, are as clueless as those that use IE on Windows. They couldn't help you fix a bug, if God Himself came down, and threatened their eternal souls with damnation. Sad, but true.
Pretty much the same for Linux in general these days, too: I'd be willing to bet that the majority of the Linux supporters here on Slashdot can't code... and, of those that can, only a very few can actually write quality OS code... and of those that can, only a VERY few actually do so, to support Linux, as a percentage of the overall Slashdot population.
So, what does that actually SAY about the "Nerd" population here, these days?
Fucking wannabes, I think.
But, they can bitch about "teh RIAA, MPAA", and generate revenue for Slashdot... so, Slashdot caters to the clueless now.
I would love to test whether it works when firefox is using the noscript addon, but I cannot, because I don't use the password manager, it is just retarded to let your browser remember your passwords, really.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
The Firefox teams real intent here was to keep all the geek's off myspace, or any "social networking site" for that matter. Shame on all of you for not knowing better!
Not sure I understand what's supposed to happen. After clicking on the vid (on Chapin Information Service's demo), am I supposed to automatically go to Google? Chapin's demo exploit seems to tell me that I would be redirected to Google.com. It didn't...it went to YouTube where I was logged in under my normal user:pass. I didn't see any sign of anything in the address bar revealing my Chapin user:pass. Is the fact that I already had a YouTube account registered with Password Manager what caused the exploit to fail? Also, my popup blocker stopped Chapin's site from launching something first time through. Was this what threw a wrench in it? I tried manually going to Google.com immediately after clicking on the vid another time through (registering the same user:pass as the first time), but I just don't see anything to indicate that the exploit worked (my user:pass from the demo appears in Googe's address bar? Not that I could see.). Can someone please explain in a bit more detail what should have happened? Mozilla's exploit demo seemed to fail as well, dumping me on a "server not found" error page, but maybe that's what it's supposed to do if the exploit worked.
Tried the second demo on Mozilla's bugtracker. My popup blocker stopped a new window from launching. Nothing else happened that I could tell.
Appreciation expressed in advance to anyone who can enlighten me on what I should be experiencing in Firefox 2. Is this a Windows-version-only thing? I'm on Fedora Core 5.
* * * * *
All mankind is divided into three classes: those that are immovable, those that are movable, and those that move.
--Benjamin Franklin
Patch is available
I'm surprised no one has mentioned the NoScript Extension
No script... no exploit... works great for me...
Just run the proof-of-concept, and phew! I'm not affected. Then I realized that I'm using Konqueror!
Monoculture is a bad, bad, bad thing.
There are options but you do have to know where to look and most people don't. One program I use at both home and work is Oubliette (Windows only I'm afraid).
It's very ease to use and has encryption so I can can carry all my passwords on a USB stick and know even if I lose it no one can get my passwords (unless they hack the master password).
aus.music.scrapbook
I can get into all relevant government sites and many large private sites in Denmark with my government backed digital signature. Digital signatures are supported by the major browsers.
The main problem is that there is a fee for the web site for using it, which means it is not useful for small or amateur sites, they still rely on passwords.
MySpace trusts its users WAYYYY too much. I think it filters out <script tags, but beyond that I make no promises. Any site that needs to warn its users that "using HTML and CSS to hide MySpace's advertisements is not permitted" is asking for it, big time. Note that at least a few profiles do hide the ads anyhow (on those occasions where I visit the site using a browser that will show ads) and some may actually circumvent the scripting restrictions, even.
The advantage is you get to assault your visitors eyes with a combination of bad programming and bad taste... or just bad design in general (links that go to 24px and bold on MouseOver?!? Blue text on blue backgrounds? You get the idea...) You can put up flash (good for music, videos, games, and remote code execution exploits) and forms (doesn't everybody love surveys? What about a way to post comments without scrolling ALL the way to the bottom of the page? Surely you don't have an issue with default buttons that go... somewhere! I know... let's sneak a Password field on there.) I haven't been to the site in a month or two, which means it is settling blissfully into the recesses of my mind...
There's no place I could be, since I've found Serenity...
It is not a bug with firefox, it is a bug with myspace.
I doubt you will find many places other than myspace where this "bug" will be exploited. Why? Because most sites that host user generated content are responsible enough to remove the users ability to post potentially-malicious markup language on the site. These sites strip almost all (if not all) markup and only allow a small handful of decoration tags like BOLD. (Slashdot is a perfect example of allowed html markup)
The problem is that the code on myspace is shoddy at best, and the fact that users can put any kind of html on their myspace page was an accidental result of such. Then when users figured out they could customize their page with css and other markup code they were happy, and so myspace left it in.
Nowadays everyone is so used to myspace letting them customize their page (in a shitty hack sort of way) that if they were to take that aspect away I think myspace would die in a month (I know a lot of girls who only go on myspace so that they can upgrade their page and make it look better by customizing it) so they are not likely to ditch this "feature" of their site.
According to the Bugzilla link, this bug is also present in pre 2.0 releases of Firefox, and IE 6/7.
They say it exists in IE 6/7, so they don't look like the only fool.
So how do they explain the fact that it really 'doesn't exist' in IE 6/7, and doesn't this make them look even more foolish?
And no I won't defend IE6 or even IE7. But keep the facts where they are; this is not an IE exploit.
history | less ?
Get your own free personal location tracker
Firefox started to dissappoint me. I do still belong to mustdie crowd but FF starts to irritate me.
First, it deletes files when they are dragged into the browser window . IE won't even allow you to do the dragging.
Second, if you are getting messages from your Yahoo groups by e-mail on your gmail account, the Yahoo ads are overlaying the text. IE does not do that.
I can easily foresee that if this will continue I am going to consider switching to some other browser. Any recommendations?
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
From what I have read, it takes a n00b to be fooled in that way. AFAIU, the phishing succeeds only if you send the autocompleted form. Who in the right mind would send the form that appeared from nowhere? If I do not expect a form in this place, I do not submit it.
I suspect that many bugs like that can be easily avoided by clean behaviour.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
I was wondering, if FF or any browser auto-populates your login fields, couldn't someone use Ajax to just grab the values and send them to the server before you even hit submit?
"Firefox .. it deletes files when they are dragged into the browser window . IE won't even allow you to do the dragging"
..
Here on FF 2.0 it does no such thing, just opens up in a window, does not delete.
"if you are getting messages from your Yahoo groups by e-mail on your gmail account, the Yahoo ads are overlaying the text. IE does not do that"
I don't understand, does yahoo include adverts in the email. Here on FF 2.0 I have no such problem. I don't even see the adverts in Yahoo as I have adblock enabled.
"I can easily foresee that if this will continue I am going to consider switching to some other browser. Any recommendations?"
Yea, go back to IE7, all the rest are written by sandle wearing, long hair communist hippies
was Re:FF problems
davecb5620@gmail.com
Has anyone else noticed that this isn't the only glaring security hole to do with Firefox's Password Manager?
To be convenient they have added the feature where you can view the username stored for any particular domain in the settings. But what's more, they have added the useful little button called "Show Passwords". I use various shared pc's in my flat. I trust my flatmates enough to store my login details for various sites, but that doesn't mean I want them to have easy access to what the passwords actually are, as they are also used on sites that I don't want to give them access to.
There's the option of using a master password. Great. So everytime I want the computer to automatically fill in my passwords, I have to enter my password, WHAT GENIUS!! I don't want that, but I also don't want to give my flatmates open access to what my passwords actually are!! Stupid no?
When ever FF is talked about, at least once mention the memory leak problem .. :)
.. 300MB RAM, FF = 52MB.
"he has a machine with "only" 512 MB of RAM. What did Firefox do? According to Task Manager, it was consuming 1896 MB of RAM"
I have never experienced the fabled FF memory problem
was You're lucky. (Score:5, memory leak fud)
davecb5620@gmail.com
Bugs are bugs, they happen.
With Open source many eyes and many hands work to fix the bugs.
With closed source only a small group can see or fix the source, and the "originator" of the program may not even want to acknoledge the bug.
I could be mistaken, but couldn't the need for the user to submit the form (request) be sidestepped with AJAX/Web 2.0 scripting, sending the password as soon as the field is populated? Or does the obfuscation of the password field in the browser prevent this?
Open Standards Portal
I just tested it with Seamonkey 1.0.6 (I prefer it over firefox) and the exploit happens on it as well.
Does the name Pavlov ring a bell?
After carefully examining the issue, I come to the conclusion, that for this supposed issue to show up, it means that the legitimate site you are visiting has been hijacked, and a fake login form inserted. If that is the case, the user is liable to enter the username and password. Firefox password manager or not: when the user clicks submit, the password goes to the other site, whether password manager is enabled or not.
Anyone who can inject arbitrary HTML can possibly get your password. This isn't a bug, it's a consequence of submitting your password using an HTML form, and allowing other users fine control of what scripting and form elements appear on the page.
Sites that wish to guard against such attacks should utilize the more robust systems available for authentication, which include: HTTP authentication and Client-side SSL certificates. In both of these cases, a HTML page need not have direct access to the authentication information provided by the user to the web server.
Users of the browser should just be aware that 'password manager' is not an anti-phishing feature in this version of Firefox -- if the site you are visiting wishes to spill your password to another site, when you login, nothing can stop them, whether you use password manager or not. In fact, they can use AJAX to send your password to who knows what other sites in the world, from the moment you start typing it into a HTML form.
I only hit 'save password' for places where it's safe to do, and when I do so, I rather have it err on the side of filling in a password field, than ever have it err on the side of 'not filling in the password', because it thinks a form might be fake. I'll be the judge of that.
Cross-site forms are a feature of HTML. The issue in this case is that a page author can insert a malicious password form on a legitimate site in the first place.
Exploitation of this so called "bug" relies on the site you visit cooperating with the outside site.
That tells me it's not a bug in password manager. The bug is that a site allows a malicious login form to appear on it in the first place. EOM.
Got duped to this one in about 30 seconds... and it's over 10 months old.
Javascript, no. Maybe you're not clear on how this works?
XSS, kind of, yes.
This exploit requires someone be able to insert a <form> element on a trusted site. (A site that you trust at least to have an account with.) The form gets the login info auto-populated by Password Manager, but then submits the results to a different site. This compromises the trusted site's credentials.
I use Password Manager, but rarely let it save passwords. (You're given the option each time, you know.) There are specific situations where it comes in handy for me, and thankfully none of them would expose me to a malicious use of this exploit. So, modulo your lack of specificity on the scenarios that make its use retarded, we agree.
Being security conscious, I (also) use NoScript. The exploit works even with both sites forbidden. So you know. No need for you to go configuring Password Manager to test it. (Which would not have been hard to do — it's a checkbox.)
As for the question of whether this is a Firefox security hole, I think it is. At least partly. Sure, XSS injection is a site-specific vulnerability. That much is the site's fault. But silently performing a credentials fill-in for cross-site form posting in an environment where XSS may happen... This is not ideal. Surely there must be some solution like tying the credentials not just to a domain and/or specific page, but to the triple of URL+form+action. Maybe this is hard to do if the populating is done before the action can be known for sure (as the form action attribute may change after population and before submission).
I can imagine having Firefox perform a check at the moment it attempts to submit: Did we auto-fill the credentials, and is the URL+form+action the same? If so, go ahead. If not, warn user.
Wonder what will come of this all?
The clock is ticking... will Firefox beat IE's response time?
_ 2006_ 2006
according to secunia, IE7 has more severe bugs unpatched, the most severe also affects IE6 and is known since 2006-10-30
http://secunia.com/product/12366/?task=advisories
http://secunia.com/product/12434/?task=advisories
better than any password manager: http://www.passwordmaker.org/
in this age of communication i'm just not getting through
It also won't work on sites that force you to enter your password using buttons (randomly arranged or static). Many banks do this now.
These posts express my own personal views, not those of my employer
Yes, viruses can only spread via sneezes. Oh, don't forgot the good old, I/O shutdown.
Almost all good sites already have a policy where user generated content is served from a separate domain, in an IFrame if need be. Check out google translate, or gmail. Signing in to a site should always be from a different domain to that from which any user generated content is served. It is a quick and easy way of solving this vulnerability and many similar ones.
But didn't buy the t-shirt
Support my political activism on Patreon.