Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Vulnerability In Firefox 2.0.0.5

Posted by CmdrTaco on from the waiting-for-the-patch-boys dept.

Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."

10 of 176 comments (clear)

  1. Dupe? by InvisblePinkUnicorn · · Score: 5, Informative

    Three days ago: http://it.slashdot.org/article.pl?sid=07/07/20/125 2215

  2. Re:Is this OS independent? by Compholio · · Score: 5, Informative

    I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?
    I can confirm that it works on Linux.
  3. NoScript by grub · · Score: 5, Informative

    NoScript
    Repeat ad nauseum.

    --
    Trolling is a art,
  4. Re:Is this OS independent? by Mr.+Sketch · · Score: 5, Informative

    From what I read, yes. It only exposes passwords for the site you're visiting. The most common case of this is on myspace, where visiting a malicious website will transfer your myspace username/password to the website owner. This vulnerability exists on sites that allow users to post custom html and javascript and will expose your username and password for that site.

    This does not expose all your passwords, so if you have you bank password stored, it's safe, unless your bank has pages that allow users to post custom html and javascript.

    --
    Things you think are in the Constitution, but are not.
  5. Re:Do not save passwords by dvice_null · · Score: 3, Informative

    Passwords are not in plain text, but readable with Firefox.

    You can set master password to truely encrypt them. But if you let people to access your harddrive, you can install keyloggers to steal the master password also. Or any password, no matter do you save it or not.

  6. FUD by jrumney · · Score: 4, Informative

    Firefox's password file has never been in plain text, although if you don't specify a master password, the decryption key is stored in the same directory, so the encryption will only stop casual opportunists.

  7. Is it Firefox specific? by 140Mandak262Jamuna · · Score: 3, Informative
    From what I understand, the user visits a site and the browser dishes out the remembered username password to that site. Whenever that site requests the username and password, the browser would do so. If the site allows anyvisitor to post javascript code and it incorporates such posted code as part of its own page, then the user too can use javascript to request the username/password and use javascript to phone home.

    Now why any of it is Firefox specific? Any browser/ browser-helper-object /password help toolbar would do the same. If you have only one user name for a site, firefox will pre-fill the field. And the javascript can read it without a get or post. I would guess this behaviour of prefilling when the username is unique is probably a Firefox thing.

    Generally sites that allow users to post javascript code would be dangerous and should not be visited. But I would not know a priori these sites.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  8. Re:Do not save passwords by strobert · · Score: 4, Informative

    In addition if you run with Noscript and Secure Login it really helps protect you. The former can let you disable javascript (and java/flash too) by default and only enable for sites you trust. The later makes it so that for remembered passwords firefox does not fill in the form. Instead it highlights the fields it would fill in and you have to hit the secure login button to post the form data. Makes it so that you know when you saved passwords are being used and bypasses the input flow so that keyloggers can't even record the data.

    I would also recommend installing "Master Password Timeout" which will re-prompt you periodically for the password.

  9. Re:Is this OS independent? by snowgirl · · Score: 4, Informative

    Actually you're safe if you use a master password with your password manager.


    Well this story kind of points out why obviously, this statement isn't necessarily true.
    --
    WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
  10. Oh really? by jgoemat · · Score: 3, Informative
    How are you safe?
    1. Open browser
    2. Click on MySpace bookmark
    3. Enter master password to login to myspace
    4. Visit joebob's page, which has javascript to steal your password
    5. pwn3d
    If you're on the site with the vulnerability, you probably already entered your master password to login, and you only have to do that once per session to use all of your passwords.