Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 2.0 Password Manager Bug Exposes Passwords

Posted by ryuzaki0 on from the be-careful-out-there dept.

zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."

8 of 315 comments (clear)

  1. passwords have failed by hackstraw · · Score: 5, Insightful


    Now that its 2006, can we now use a better form of "authentication" than a few ascii characters?

    Every website wants you to have a password. You know, for important stuff like making a purchase because you use a password for a purchase at a brick and mortar store, right?

    Well, since its a good practice to use unique passwords, and users get forgetful, then they use the web browser tool to store their passwords, then they forget their passwords, and when they use another computer or update their existing one, their tool does not work, and if it does work, then the browser gives away your passwords.

    I don't use a password to get into my home, I don't start my car with a password, I don't use a password to get into my work. In fact, I don't even have a key for my work, server room, nothing (RFID). But all day at work, these programs continually ask for my password to the point that I dont consider my password secure because I have to change it, and use it so much, I'm desensisized (sp?) and say who cares?

    Can we get over passwords soon?

    1. Re:passwords have failed by AlXtreme · · Score: 5, Insightful
      I don't use a password to get into my home, I don't start my car with a password, I don't use a password to get into my work. In fact, I don't even have a key for my work, server room, nothing (RFID).
      Locks get picked. Cars get stolen. RFID can be disrupted, tampered with or your card can get stolen (I'm assuming you don't have RFID tags in your arm). Likewise, passwords can be sniffed. Hell, it doesn't matter how good your encryption is, all it takes is a videocamera pointed at your keyboard.

      How far you go, it doesn't matter. There will always be a trade-off between security and convenience. Personally, I trust a good lock more than I trust RFID. But even if you go all the way to biometrics, there will always be way a to hack the system.

      Even so, this Firefox security flaw is a nasty one.

      --
      This sig is intentionally left blank
    2. Re:passwords have failed by Crudely_Indecent · · Score: 4, Insightful

      Passwords work great for me. I, however, use them with care.

      Any site that uses financial information (my bank, eBay, PayPal, Amazon, or whatever I'm buying, my own servers, etc.) doesn't get the password stored in any form of password manager. On the other hand, inconsequential services like news sites, LUG sites, aquarium discussion groups and the like may have the passwords stored. If it's important, don't store it, don't write it on a post-it note, don't tell your friends.....people cannot be trusted.

      It seems that any security protocol can be circumvented by exploiting the end users who use them poorly or rely on something other than common sense for security.

      It took all of about 5 minutes to explain phishing to my girlfriend. Now, she's almost 1/104358506th as paranoid as I am, which is a good start.

      Now, I'm out of tinfoil......off to the store.

      --


      "Lame" - Galaxar
  2. Is it used? by oyenstikker · · Score: 5, Insightful

    People actually let their browsers remember their passwords? I have never trusted my browser that much.

    --
    The masses are the crack whores of religion.
  3. Not a lot of better options by Kadin2048 · · Score: 4, Insightful

    If you have 50-100 passwords at various sites, established over years, there's really a shortage of other good options. You can go the old-school route and just write them all down on a pad of paper, or the slightly more sophisticated route and put them in a text file or encrypted database on your local machine, but that doesn't help you when you want to log into a site from another machine.

    I was disappointed to hear of this vulnerability, because I use Google Browser Sync pretty heavily for keeping track of cookies and trivial passwords, and to be honest I'm not really sure what I'd do without it. More important passwords I keep in an old Palm Pilot using a GPLed password-management and generation program on it, but recalling passwords from it is a pain (takes several minutes to get Palm out, type in master password, etc.).

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  4. Re:Arrrrr by jesser · · Score: 4, Insightful

    When browsers added password management features 5 (?) years ago, there weren't a lot of sites that required passwords, included user-generated content, and allowed that user-generated content to include password fields. But there were (and still are) many sites where loading just about any URL on the site could give you a "you need to log in" page.

    I'd be perfectly happy with this becoming part of the accepted security model for web applications, just like "don't let user-generated content include SCRIPT tags with arbitrary content".

    --
    The shareholder is always right.
  5. Many FF fans would say... by patio11 · · Score: 5, Insightful

    ... this is just because IE6/7 have poor compatibility with the rest of the world. They can't even support the exploits, anymore, honestly.

    OK, jokes aside, someone just released an exploit into the wild which *can't work on IE*. And they presumably still thought they were going to get something of value on it. Hiya, FireFox, welcome to the "visible enough to be a target" club. And it only gets worse. I hope your million bug finding eyes are bright and perky because it only gets worse and it never, ever stops.

    --
    Help poke pirates in the eyepatch, arr.
    1. Re:Many FF fans would say... by CastrTroy · · Score: 4, Insightful

      The password manager should only fill in the password on the actual page you have entered it on before. This is just common sense. There's many situations where you might enter different credentials at different parts of a site, or where entering your information at one page under a certain domain might actually be a bad thing. This is why I have password manager turned off on all my browsers. It's a littl more work to remember passwords, but it's a lot safer.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.