Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Vulnerability In Firefox 2.0.0.5

Posted by CmdrTaco on from the waiting-for-the-patch-boys dept.

Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."

7 of 176 comments (clear)

  1. Dupe? by InvisblePinkUnicorn · · Score: 5, Informative

    Three days ago: http://it.slashdot.org/article.pl?sid=07/07/20/125 2215

  2. Re:Is this OS independent? by Compholio · · Score: 5, Informative

    I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?
    I can confirm that it works on Linux.
  3. NoScript by grub · · Score: 5, Informative

    NoScript
    Repeat ad nauseum.

    --
    Trolling is a art,
  4. Re:Is this OS independent? by Mr.+Sketch · · Score: 5, Informative

    From what I read, yes. It only exposes passwords for the site you're visiting. The most common case of this is on myspace, where visiting a malicious website will transfer your myspace username/password to the website owner. This vulnerability exists on sites that allow users to post custom html and javascript and will expose your username and password for that site.

    This does not expose all your passwords, so if you have you bank password stored, it's safe, unless your bank has pages that allow users to post custom html and javascript.

    --
    Things you think are in the Constitution, but are not.
  5. FUD by jrumney · · Score: 4, Informative

    Firefox's password file has never been in plain text, although if you don't specify a master password, the decryption key is stored in the same directory, so the encryption will only stop casual opportunists.

  6. Re:Do not save passwords by strobert · · Score: 4, Informative

    In addition if you run with Noscript and Secure Login it really helps protect you. The former can let you disable javascript (and java/flash too) by default and only enable for sites you trust. The later makes it so that for remembered passwords firefox does not fill in the form. Instead it highlights the fields it would fill in and you have to hit the secure login button to post the form data. Makes it so that you know when you saved passwords are being used and bypasses the input flow so that keyloggers can't even record the data.

    I would also recommend installing "Master Password Timeout" which will re-prompt you periodically for the password.

  7. Re:Is this OS independent? by snowgirl · · Score: 4, Informative

    Actually you're safe if you use a master password with your password manager.


    Well this story kind of points out why obviously, this statement isn't necessarily true.
    --
    WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS