Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 2.0 Password Manager Bug Exposes Passwords

Posted by ryuzaki0 on from the be-careful-out-there dept.

zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."

7 of 315 comments (clear)

  1. Not just Firefox 2.0, also IE6/7 and earlier F'fox by Andy_R · · Score: 4, Informative

    According to the Bugzilla link, this bug is also present in pre 2.0 releases of Firefox, and IE 6/7.

    So much for me being smug about going back to Firefox 1.5!

    --
    A pizza of radius z and thickness a has a volume of pi z z a
  2. Dis-satisfied with v2.0 by macdaddy · · Score: 3, Informative
    I don't know about everyone else but I am generally dis-satisfied with v2.0. Frankly I felt that the memory leak in FF was significantly amplified in 2.0. I noticed back on 1.5 that every time I put my laptop into standby with FF running and then woke it up that FF would slowly increase it's memory consumption to about 30% more than what it was before being put into standby. Ie, if it was 100MB when it went to standby it would be around 130MB after waking the laptop, switching focus to FF, and clicking through my opened tabs. In FF 2.0 I have to literally shutdown FF every day or two or FF will easily consume upwards of 500MB of my RAM. I usually have about a dozen windows open and in each window I have 5-15 tabs. That's a fair bit but it didn't cause me much grief in v1.5.

    It also took me a while to figure out how to remove the close button from each tab. The tab scrolling "feature" was also a point of great annoyance that took up more of my time to find a fix.

    In short I'm just not jumping for joy over FF. This new flaw happens to come to light the day after I search Google for a way to manually add userids and passwords to the FF DB (any ideas?). This was to address the problem of FF not picking up some text fields as userid and password fields. One solution I found was RoboForm, though I'm not sure I want to pay for what I think should be a fairly easy thing to do inside FF. FF is getting better but personally I'd rather be using Mozilla 1.7.x.

  3. Re:Is it used? by Odiumjunkie · · Score: 4, Informative

    > No biggie, except that the 'reveal all passwords' button exists (and, last I checked, required no authentication to use). Firefox, for as long as I can remember, has allowed you to set a master password, without which the password manager will not populate any password feilds and will not allow the viewing of any stored passwords.

  4. WARNING by tezbobobo · · Score: 3, Informative

    DEERPARK 1.5.0.4 is also vulnerable - based on firefox 1.5

  5. Alternatives to browser stored passwords by natet · · Score: 3, Informative

    I for one only use the browsers store password feature for the most trivial of sites. For more important sites, I use Password Safe. The program and the database fit easily on a thumb drive, and requires a master password to access. It has a user configurable time out, and a double click on an account copies the data to the clipboard for later use, allowing you to foil keyboard based sniffers.

    --
    IANAL... But I play one on /.
  6. Re:I sense a disturbance in the force... by LordEd · · Score: 3, Informative
    Didn't even think of the 'response time' end.

    Please look at the bug report. Submission of testcase file is November 12 (9 days ago)

    From TFA:
    It was first discovered in the wild by Netcraft on Oct. 27 (25 days ago)
    The clock is ticking... will Firefox beat IE's response time?
  7. Re:I sense a disturbance in the force... by zootm · · Score: 3, Informative

    HTML forms work just fine without Javascript. And yes, you're effectively tricked into clicking an action button. If you look at the sample "injected HTML", they make it look like the user is clicking a Flash movie when in fact they're clicking a blank image-type <input> on the page. This submits the GET-style form. So long as the user is "tricked" into clicking something, and forms are allowed, this could steal the password from the password manager.

    The code is available in the text box at the bottom of the this page. Neither Flash nor Javascript is required to trigger the exploit, just a click from a user in a attacker-defined position on the page.