Slashdot Mirror

← Back to Stories (view on slashdot.org)

Holes Remain Open in Firefox Password Manager

Posted by Zonk on from the batten-down-the-hatches dept.

juct writes "Although the Mozilla developers have fixed a known hole in the password manager of Firefox & Co, a door remains open for exploitation. According to an article on the heise site, hackers can still use JavaScript to steal passwords from users of the Mozilla, Firefox, and Safari browsers. However, the real problem might not be Firefox' password manager. If users can set up their own pages containing script code on a server, the JavaScript security model breaks. Heise Security demonstrates the possible password theft in a demo. 'From the users' perspective, this means that they should not entrust their passwords to the password manager on web sites that allow other users to create their own pages containing scripts. Otherwise somebody can easily create a page that steals the password as soon as the page is opened ... Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function. On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.'"

1 of 191 comments (clear)

  1. Re:Thank goodness... by SatanicPuppy · · Score: 1, Offtopic

    I just stopped carrying luggage. Now when I travel, if I'm forced to fly commercial, I carry a backpack with what I need, and ship the rest.

    Homeland security is a bad joke; they only prepare for the least likely attacks...I can't carry a soda on the plane because I may have 50,000 dollars worth of chemistry equipment shoved up my ass which would allow me to manufacture that soda into a bomb? Give me an effing break.

    I have to x-ray my shoes because my shoes may explode? Do I look like James Bond? And, insult to injury, they only x-ray the damn things, so if, for example, they were semtex encased in a thin layer of rubber that I was going to detonate with junk stored in my laptop or cell phone, it still wouldn't be caught.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.