Firefox 2.0 Password Manager Bug Exposes Passwords

zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."

But but but....

...secure by design!!

I sense a disturbance in the force...

[LordEd]

...as though millions of Firefox users were laughing at IE users, and were suddenly silenced.

Cue "still more secure" arguments now.

Re:I sense a disturbance in the force...

[ticklish2day]

I switched to IE7 a week ago after Vista RTMd. I don't miss FF. I've also been running without anti-virus for the entire week. I ran a system virus scan today and ZILCH - no viruses. No spyware or adware either. It might have to do with the fact that my machine isn't connected to a network...

passwords have failed

[hackstraw]

Now that its 2006, can we now use a better form of "authentication" than a few ascii characters?

Every website wants you to have a password. You know, for important stuff like making a purchase because you use a password for a purchase at a brick and mortar store, right?

Well, since its a good practice to use unique passwords, and users get forgetful, then they use the web browser tool to store their passwords, then they forget their passwords, and when they use another computer or update their existing one, their tool does not work, and if it does work, then the browser gives away your passwords.

I don't use a password to get into my home, I don't start my car with a password, I don't use a password to get into my work. In fact, I don't even have a key for my work, server room, nothing (RFID). But all day at work, these programs continually ask for my password to the point that I dont consider my password secure because I have to change it, and use it so much, I'm desensisized (sp?) and say who cares?

Can we get over passwords soon?

Re:passwords have failed

[AlXtreme]

I don't use a password to get into my home, I don't start my car with a password, I don't use a password to get into my work. In fact, I don't even have a key for my work, server room, nothing (RFID).

Locks get picked. Cars get stolen. RFID can be disrupted, tampered with or your card can get stolen (I'm assuming you don't have RFID tags in your arm). Likewise, passwords can be sniffed. Hell, it doesn't matter how good your encryption is, all it takes is a videocamera pointed at your keyboard.

How far you go, it doesn't matter. There will always be a trade-off between security and convenience. Personally, I trust a good lock more than I trust RFID. But even if you go all the way to biometrics, there will always be way a to hack the system.

Even so, this Firefox security flaw is a nasty one.

Re:passwords have failed

[irc.goatse.cx+troll]

I strongly hope so. My recommendation would be public key authentication, the way SSH can do it. You'd need a private key (possibly on a crypto card, but a thumbdrive or floppy or whatever works fine) and a password for that. You authenticate to the key when launching your encryption agent, then any website that wants to verify who you are contacts your agent and does the authentication there.

Infinitely more secure than our current password system, a lot more convenient (think Microsoft Passport's bragged about convenience, except none of your data is stored on a central server), and all around the BetterWay(tm). The main downside if when roaming to another machine if you don't have your key, you don't have access. This can be addressed with either being able to fall back on a password (removing a lot of the security), or some means of authenticating to your home computer.

You could also add some sort of spec for feeding VCard info into the agent so that sites could use it to do a sort of shared profile feature, where you'd authorize a site to receive certain info and save you a lot of time filling stuff out.

Unfortunately this is just yet another thing on the list of "tech the way I think it should be", not anything on anyones todo lists.

Is it used?

[oyenstikker]

People actually let their browsers remember their passwords? I have never trusted my browser that much.

Many FF fans would say...

[patio11]

... this is just because IE6/7 have poor compatibility with the rest of the world. They can't even support the exploits, anymore, honestly.

OK, jokes aside, someone just released an exploit into the wild which *can't work on IE*. And they presumably still thought they were going to get something of value on it. Hiya, FireFox, welcome to the "visible enough to be a target" club. And it only gets worse. I hope your million bug finding eyes are bright and perky because it only gets worse and it never, ever stops.