Slashdot Mirror
Password Vulnerability In Firefox 2.0.0.5
Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."
I never liked firefox's save password ability. It stores the password in plane text (at least it used to) for anyone with physical access to see if they know where to look (and it's not hard to figure out where to look). I have stolen many a passwords this way. It is worse than writing your password down and putting it in your desk.
A unique way to learn a language: http://languageloom.com
Eh. Depends on what passwords you set it to remember. There are a ton of BS passwords that I don't give a damn if someone steals.
Like anywhere else, you need to make a trade off between usability and security. Sure, it's not perfectly secure, but it's not worth it to me to have to remember the one off junk password I made up for NYTimes.com.
The real issue, as usual, is javascript. I use "NoScript" and am careful about which sites I allow to execute scripts at all. That will do more for your security than anything else.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
And this is why I save all of my passwords in IE
This is why we need something better that text passwords for authentication on the web. Most people can't remember all the passwords they use on every site they go to. To cope with this, Average Users do either one of two things - use the password remembering method in their browser of choice or use the same (weak) password for everything. Granted, there are some decent password management utilities out there, but your Average User would rather use a tool they already have.
How may I help you today?
It's not possible for websites to steal saved passwords from other websites; it's only possible to steal a password if Firefox auto-fills a password field, and obviously this only occurs if you're on website you saved the password for in the first place.
Reading my list of saved passwords; my company intranet sites aren't vulnerable, my bank website isn't vulnerable, my shopping sites aren't vulnerable. All that is vulnerable are forum websites, and that's only if someone finds a way to inject Javascript, which is normally stripped out by all of them.
I don't think it's possible to avoid this without serious hijinks to the DOM; it has always been possible to inspect the current contents of form inputs, including password inputs.
How is this news again? If you have enough knowledge to post a slashdot article, its certainly not your first time here, and one would hope you saw the SAME issue from 3-6 days ago.
This is Slashdot! Give me the latest gadget, bug, or OS project! This ain't english class so don't confuse the two!
Who modded the parent post "Insightful", and why? It is a one line blanket statement cast against millions of people without discussion or foundation. I hope someone takes away your mod points.
If you use many websites that require you to log in you don't have many options. You could use one password for all of them, in which case a breach on one account by an attacker essentially breaches all other accounts that they discover, or you can use unique passwords on each site, in which case it soon becomes impossible to remember them all accurately - especially for sites that you don't use very often. Additionally, some sites have rules around the number of upper case characters, special characters, digits, etc. in passwords, and these can be particularly difficult to remember.
Certainly people are foolish if they store logins for bank accounts and the like in the password manager, but most people only have one or two really important logins.
People who use the remember passwords functions are not idiots. People who expect the "remember passwords" functionality to be secure are not idiots either - if an application used by millions includes such functionality one would expect the developers to have secured it.
Or unless you use the same password for myspace and a bunch of other places
You'd probably begin to care after someone "hacks" your MySpace page and posts distasteful or illegal language or images. Explaining all of that to a police officer or a judge and jury is rife with peril.
But the other point I think is pertinent here is that Firefox is really going for the common man crowd -- you don't buy a full-page ad in the New York Times if you want only geeks. So knowing that the average joe will be using Firefox and will happily save sensitive information if encouraged to do so (as one is with Firefox), that particular feature really has to be pretty rock-solid (or at the very least, not vulnerable to a pretty basic and classic javascript exploit).
Don't get me wrong -- I love Firefox and use it almost exclusively. But this is the kind of thing that, whether truly a hazard to most users or not, can scare people away if it is carelessly presented to the public. Or if it really is a risk.
It is pitch black. You are likely to be eaten by a grue.
Why do idiots still spread the FUD that it is bad or a "security threat" to use their credit card online? You are perfectly safe. If someone does steal and use your number you are only responsible for the first $50, and every bank I've ever dealt with if waive that. Idiots like you are the reason it took me so long to convince my mom not use use PERSONAL CHECKS an eBay. Because of the FUD about credit cards, I had a hard time explaining to her that they were MUCH safer than checks! You are MORE vulnerable using your credit card in a "real" store than online.
It also means that bugs get fixed faster and that if mozilla stops supporting a platform someone else can, and that we can have things like swiftfox available, so I think it is a good trade.
But security through obscurity doesn't really work too well anyways...
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Possibly, but how many bugs have been exploited in Firefox because of being able to view the source code and how many would have been picked up by a closed-source 'fuzzing' anyway?
This one was a "how the browser works" based on visible behaviour, so it would have been found in a closed-source app as well.
NoScript is a horrible fix for this, because NoScript and the password manager use the same method to determine what is safe: the domain name of the server.
If I go to, say, Blogspot.com with FF and I'm a member, I probably log in and save my password with FF. If I have NoScript and I visit the page frequently and post lots of comments, I also probably have blogspot.com on the trusted site list. If I go to a malicious blog (well, alright, a blog that exploits this vulnerability -- they're all malicious) then a) I'll be on a site that the password manager trusts and I'll be on a site that NoScript trusts.
The road to tyranny has always been paved with claims of necessity.
Why must every decision either be the best, most secure, or one made by an idiot? Aren't there decisions that may not be the ideal or may have some downsides to that aren't made by idiots?
The only thing I know is that I don't know anything; and I'm not even sure about that.