Firefox 2.0 Password Manager Bug Exposes Passwords

zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."

Re:passwords have failed

[irc.goatse.cx+troll]

I strongly hope so. My recommendation would be public key authentication, the way SSH can do it. You'd need a private key (possibly on a crypto card, but a thumbdrive or floppy or whatever works fine) and a password for that. You authenticate to the key when launching your encryption agent, then any website that wants to verify who you are contacts your agent and does the authentication there.

Infinitely more secure than our current password system, a lot more convenient (think Microsoft Passport's bragged about convenience, except none of your data is stored on a central server), and all around the BetterWay(tm). The main downside if when roaming to another machine if you don't have your key, you don't have access. This can be addressed with either being able to fall back on a password (removing a lot of the security), or some means of authenticating to your home computer.

You could also add some sort of spec for feeding VCard info into the agent so that sites could use it to do a sort of shared profile feature, where you'd authorize a site to receive certain info and save you a lot of time filling stuff out.

Unfortunately this is just yet another thing on the list of "tech the way I think it should be", not anything on anyones todo lists.