Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 2.0 Password Manager Bug Exposes Passwords

Posted by ryuzaki0 on from the be-careful-out-there dept.

zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."

16 of 315 comments (clear)

  1. passwords have failed by hackstraw · · Score: 5, Insightful


    Now that its 2006, can we now use a better form of "authentication" than a few ascii characters?

    Every website wants you to have a password. You know, for important stuff like making a purchase because you use a password for a purchase at a brick and mortar store, right?

    Well, since its a good practice to use unique passwords, and users get forgetful, then they use the web browser tool to store their passwords, then they forget their passwords, and when they use another computer or update their existing one, their tool does not work, and if it does work, then the browser gives away your passwords.

    I don't use a password to get into my home, I don't start my car with a password, I don't use a password to get into my work. In fact, I don't even have a key for my work, server room, nothing (RFID). But all day at work, these programs continually ask for my password to the point that I dont consider my password secure because I have to change it, and use it so much, I'm desensisized (sp?) and say who cares?

    Can we get over passwords soon?

    1. Re:passwords have failed by AlXtreme · · Score: 5, Insightful
      I don't use a password to get into my home, I don't start my car with a password, I don't use a password to get into my work. In fact, I don't even have a key for my work, server room, nothing (RFID).
      Locks get picked. Cars get stolen. RFID can be disrupted, tampered with or your card can get stolen (I'm assuming you don't have RFID tags in your arm). Likewise, passwords can be sniffed. Hell, it doesn't matter how good your encryption is, all it takes is a videocamera pointed at your keyboard.

      How far you go, it doesn't matter. There will always be a trade-off between security and convenience. Personally, I trust a good lock more than I trust RFID. But even if you go all the way to biometrics, there will always be way a to hack the system.

      Even so, this Firefox security flaw is a nasty one.

      --
      This sig is intentionally left blank
    2. Re:passwords have failed by Crudely_Indecent · · Score: 4, Insightful

      Passwords work great for me. I, however, use them with care.

      Any site that uses financial information (my bank, eBay, PayPal, Amazon, or whatever I'm buying, my own servers, etc.) doesn't get the password stored in any form of password manager. On the other hand, inconsequential services like news sites, LUG sites, aquarium discussion groups and the like may have the passwords stored. If it's important, don't store it, don't write it on a post-it note, don't tell your friends.....people cannot be trusted.

      It seems that any security protocol can be circumvented by exploiting the end users who use them poorly or rely on something other than common sense for security.

      It took all of about 5 minutes to explain phishing to my girlfriend. Now, she's almost 1/104358506th as paranoid as I am, which is a good start.

      Now, I'm out of tinfoil......off to the store.

      --


      "Lame" - Galaxar
  2. Is it used? by oyenstikker · · Score: 5, Insightful

    People actually let their browsers remember their passwords? I have never trusted my browser that much.

    --
    The masses are the crack whores of religion.
    1. Re:Is it used? by Phroggy · · Score: 3, Insightful

      Saving passwords should not be a browser feature. I am ashamed that such a big bug could make it into firefox.

      Saving passwords absolutely should be a browser feature; it's a feature I use all the time.

      However, I too am ashamed that such a big bug - or rather, design flaw - could make it into Firefox. I understand the usefulness of being able to use the same saved password information across multiple login forms on one site, but surely someone should have realized the danger here. I mean, these are browser developers. They should have known better.

      Hopefully they'll figure out a solution soon.

      --
      $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
      $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
  3. Arrrrr by Peyna · · Score: 3, Insightful

    The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain.

    Worst idea ever. The question isn't why wasn't this discovered earlier, but who decided this was a good idea in the first place?

    --
    What?
    1. Re:Arrrrr by jesser · · Score: 4, Insightful

      When browsers added password management features 5 (?) years ago, there weren't a lot of sites that required passwords, included user-generated content, and allowed that user-generated content to include password fields. But there were (and still are) many sites where loading just about any URL on the site could give you a "you need to log in" page.

      I'd be perfectly happy with this becoming part of the accepted security model for web applications, just like "don't let user-generated content include SCRIPT tags with arbitrary content".

      --
      The shareholder is always right.
  4. Sounds more like a bug in myspace by SlightlyMadman · · Score: 2, Insightful

    I thought the rule of thumb for any user-created content was to never allow freeform html? You either let them control their formatting with a separate markup (like BBCode), or you limit them to specific tags (like they do here). In neither of these situations is this exploit possible.

    Allowing full html coding, including embedding java or javascript, is an invitation for the unscrupulous. That's one of the 500 reasons I can think of to never visit a website like myspace.

    That said, much like language, the web is defined by its users. While I don't feel like it's Firefox's responsibility to fix issues like this, they'd do best to be aware of it. It wouldn't be a bad idea at all to tie password remembering to the exact url (at least everything up to the "?") by default.

    --

    Money I owe, money-iy-ay
  5. Not a lot of better options by Kadin2048 · · Score: 4, Insightful

    If you have 50-100 passwords at various sites, established over years, there's really a shortage of other good options. You can go the old-school route and just write them all down on a pad of paper, or the slightly more sophisticated route and put them in a text file or encrypted database on your local machine, but that doesn't help you when you want to log into a site from another machine.

    I was disappointed to hear of this vulnerability, because I use Google Browser Sync pretty heavily for keeping track of cookies and trivial passwords, and to be honest I'm not really sure what I'd do without it. More important passwords I keep in an old Palm Pilot using a GPLed password-management and generation program on it, but recalling passwords from it is a pain (takes several minutes to get Palm out, type in master password, etc.).

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  6. Re:What an incredible gaffe by ResidntGeek · · Score: 2, Insightful

    Right, because you contribute to Firefox, right? If you did, you'd of course have been able to spot this bug with your razor-sharp eyes, right? Oh wait... no, I just remembered you're fallible too, and quite possibly an idiot. Firefox is free. The dev team doesn't have to do shit, they choose to. Stop acting like an entitled 8-year-old at Christmas, and do something useful with your time.

    --
    ResidntGeek
  7. Many FF fans would say... by patio11 · · Score: 5, Insightful

    ... this is just because IE6/7 have poor compatibility with the rest of the world. They can't even support the exploits, anymore, honestly.

    OK, jokes aside, someone just released an exploit into the wild which *can't work on IE*. And they presumably still thought they were going to get something of value on it. Hiya, FireFox, welcome to the "visible enough to be a target" club. And it only gets worse. I hope your million bug finding eyes are bright and perky because it only gets worse and it never, ever stops.

    --
    Help poke pirates in the eyepatch, arr.
    1. Re:Many FF fans would say... by CastrTroy · · Score: 4, Insightful

      The password manager should only fill in the password on the actual page you have entered it on before. This is just common sense. There's many situations where you might enter different credentials at different parts of a site, or where entering your information at one page under a certain domain might actually be a bad thing. This is why I have password manager turned off on all my browsers. It's a littl more work to remember passwords, but it's a lot safer.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  8. Come on... by Anonymous Coward · · Score: 1, Insightful

    Just remember your freaking passwords in your head, is it that hard?

  9. Re:just update it? by gad_zuki! · · Score: 2, Insightful

    Its so calm in here. If this was IE most of the posts would be "WTF M$, 10 DAYZ!!!!!!!! Switch to firefox now!!!!!" Go figure.

  10. Internet Explorer 6/7, Why The Proof Was for FF by Robert+Chapin · · Score: 2, Insightful

    Here is a quick clarification about Internet Explorer 6/7.

    The attack at MySpace worked against IE users because many were lured into typing their passwords into a form. I saw this in action. It was almost indistinguishable from the legitimate version.

    The Bugzilla reference to IE 6/7 was not a comment on the info-svc proof, but the proof at
    https://bugzilla.mozilla.org/attachment.cgi?id=245 426

    That form does some interesting things in both browsers, but it does not reflect a normal client/server situation. IE's password manager behaves differently from Firefox when dealing with forms on more than one page, as in the info-svc proof.

    In my opinion, both browsers should raise a warning when a cross-site form is loaded, or have that option.

    Enjoy

    Robert Chapin
    Chapin Information Services, Inc.

  11. Re:Why I'm not using FF 2.0 by Tim+C · · Score: 3, Insightful

    but editing in about:config is nearly as fast

    Editing about:config is nearly as fast, but finding out that there is a value to edit, what it's called and what to set it to is a damn sight slower...

    --
    It's official. Most of you are morons.