Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 2.0 Password Manager Bug Exposes Passwords

Posted by ryuzaki0 on from the be-careful-out-there dept.

zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."

12 of 315 comments (clear)

  1. But but but.... by Anonymous Coward · · Score: 5, Funny

    ...secure by design!!

  2. I sense a disturbance in the force... by LordEd · · Score: 5, Funny

    ...as though millions of Firefox users were laughing at IE users, and were suddenly silenced.

    Cue "still more secure" arguments now.

    1. Re:I sense a disturbance in the force... by ticklish2day · · Score: 5, Funny

      I switched to IE7 a week ago after Vista RTMd. I don't miss FF. I've also been running without anti-virus for the entire week. I ran a system virus scan today and ZILCH - no viruses. No spyware or adware either. It might have to do with the fact that my machine isn't connected to a network...

  3. stopgap measures include... by Gary+W.+Longsine · · Score: 3, Funny

    ...using Microsoft Internet Explorer. AAaaaaaaaaaaaargh!

    --
    If you mod me down, I shall become more powerful than you could possibly imagine.
  4. Re:Is it used? by wumpus188 · · Score: 2, Funny

    That's what this new service is for. Let others remember your passwords!

  5. RTFA? by smittyoneeach · · Score: 2, Funny

    RTFA?
    The hell, you say.
    'Tis slashdot, bucko:
    No read-read today.
    Always for good suds we pray.
    Burma Shave

    --
    Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
  6. Re:passwords have failed by Anonymous Coward · · Score: 2, Funny

    Did you have a proposed solution? Or were just cryin' like a little bitch with a skinned knee and shit?

  7. Obligatory disclaimer! by FaustIN · · Score: 2, Funny
    Aha!... that's why sometimes I don't remember posting bad language comments!

    Thought until now of multiple personality but mystery solved! It was just my browser!...

    PS: I shall not be held accountable for ANY of my comments...

  8. Re:passwords have failed by Anonymous Coward · · Score: 1, Funny

    I know! Let's use a centralized auth. server! We will name it Passport!!!- ...damn never mind

  9. Thank God! by PHAEDRU5 · · Score: 2, Funny

    I have MS password management to control access to my Firefox password manager.

    Phew!

    --
    668: Neighbour of the Beast
  10. Re:Come on... by Safiire+Arrowny · · Score: 2, Funny

    Actually, I posted that anonymously because I couldn't remember my username.

  11. Re:passwords have failed by wud · · Score: 2, Funny

    i store all my trivial passwords on bugmenot.com

    --
    wud