Holes Remain Open in Firefox Password Manager

juct writes "Although the Mozilla developers have fixed a known hole in the password manager of Firefox & Co, a door remains open for exploitation. According to an article on the heise site, hackers can still use JavaScript to steal passwords from users of the Mozilla, Firefox, and Safari browsers. However, the real problem might not be Firefox' password manager. If users can set up their own pages containing script code on a server, the JavaScript security model breaks. Heise Security demonstrates the possible password theft in a demo. 'From the users' perspective, this means that they should not entrust their passwords to the password manager on web sites that allow other users to create their own pages containing scripts. Otherwise somebody can easily create a page that steals the password as soon as the page is opened ... Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function. On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.'"

Possible fix

[Arthur+B.]

Do not use a pull model but a push model like the bugmenot extension. A right click in the login form would allow you to automatically enter saved information. It's much safer.

password complexity

[farker+haiku]

I used to think (back in my tech support days) that people who couldn't remember their password were just plain stupid. These days, I work in a large firm that has tons of different passwords for everything. Unix passwords, windows passwords, spam mail setting utility password, time tracking utilities have passwords, passwords are required for clearcase/clearquest, remote login, etc. Each of them has different password complexity rules. I no longer criticize people for forgetting their password.

Firefox password manager

[wile_e_wonka]

The thing that scared me away from the password manager in Firefox was a program called System Info for Windows. It lists all sorts of things about your computer--click on "Secrets." It searches for passwords in several programs--I have a few passwords saved in FF and the vast majority in Opera. I saw both programs mentioned in its analysis (meaning it searched both FF and Opera for saved passwords). It listed every saved FF password but no Opera passwords.

It seems to me that if this program can do that, then it can't be hard for a more nefarious program on my computer to do the same.

Re:Clarification

[Opportunist]

That's exactly the problem with Web2.0, that NoScript would probably not cut it.

Take MySpace. How do you want to handle it? Whitelist MySpace as a whole? Then you got no security. Whitelist certain user pages? Then someone who browses userpages has essentially the equivalent of having JS turned off and gets bugged every 2 seconds. And the potential problem that someone might generate content you want to see and bug it.

The problem is not that certain domains are "evil". Ok, that problem exists, too, but it's a very different problem. The problem is that it's now possible to put malicious script code into user generated content, and that other content on the same server and domain is what people want to see.