Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Vulnerability In Firefox 2.0.0.5

Posted by CmdrTaco on from the waiting-for-the-patch-boys dept.

Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."

4 of 176 comments (clear)

  1. Re:Password Remember Function by SatanicPuppy · · Score: 5, Insightful

    Eh. Depends on what passwords you set it to remember. There are a ton of BS passwords that I don't give a damn if someone steals.

    Like anywhere else, you need to make a trade off between usability and security. Sure, it's not perfectly secure, but it's not worth it to me to have to remember the one off junk password I made up for NYTimes.com.

    The real issue, as usual, is javascript. I use "NoScript" and am careful about which sites I allow to execute scripts at all. That will do more for your security than anything else.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  2. Re:Do not save passwords by Mascot · · Score: 5, Insightful
    That's what the "Master Password" option is for.

    Use a master password

            Firefox can protect sensitive information such as saved passwords
            and certificates by encrypting them using a master password. If you create a
            master password, each time you start Firefox, it will ask you to enter
            the password the first time it needs to access a certificate or stored
            password.
  3. Passwords in general by the.nourse.god · · Score: 5, Insightful

    And this is why I save all of my passwords in IE

    This is why we need something better that text passwords for authentication on the web. Most people can't remember all the passwords they use on every site they go to. To cope with this, Average Users do either one of two things - use the password remembering method in their browser of choice or use the same (weak) password for everything. Granted, there are some decent password management utilities out there, but your Average User would rather use a tool they already have.

    --
    How may I help you today?
  4. Re:NoScript by Bacon+Bits · · Score: 5, Insightful

    NoScript is a horrible fix for this, because NoScript and the password manager use the same method to determine what is safe: the domain name of the server.

    If I go to, say, Blogspot.com with FF and I'm a member, I probably log in and save my password with FF. If I have NoScript and I visit the page frequently and post lots of comments, I also probably have blogspot.com on the trusted site list. If I go to a malicious blog (well, alright, a blog that exploits this vulnerability -- they're all malicious) then a) I'll be on a site that the password manager trusts and I'll be on a site that NoScript trusts.

    --
    The road to tyranny has always been paved with claims of necessity.