Slashdot Mirror
Password Vulnerability In Firefox 2.0.0.5
Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."
I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?
Three days ago: http://it.slashdot.org/article.pl?sid=07/07/20/125 2215
I never liked firefox's save password ability. It stores the password in plane text (at least it used to) for anyone with physical access to see if they know where to look (and it's not hard to figure out where to look). I have stolen many a passwords this way. It is worse than writing your password down and putting it in your desk.
A unique way to learn a language: http://languageloom.com
Eh. Depends on what passwords you set it to remember. There are a ton of BS passwords that I don't give a damn if someone steals.
Like anywhere else, you need to make a trade off between usability and security. Sure, it's not perfectly secure, but it's not worth it to me to have to remember the one off junk password I made up for NYTimes.com.
The real issue, as usual, is javascript. I use "NoScript" and am careful about which sites I allow to execute scripts at all. That will do more for your security than anything else.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
All the truly intelligent people use Lynx.
Ben Hocking
Need a professional organizer?
Ben Hocking
Need a professional organizer?
NoScript
Repeat ad nauseum.
Trolling is a art,
And this is why I save all of my passwords in IE
This is why we need something better that text passwords for authentication on the web. Most people can't remember all the passwords they use on every site they go to. To cope with this, Average Users do either one of two things - use the password remembering method in their browser of choice or use the same (weak) password for everything. Granted, there are some decent password management utilities out there, but your Average User would rather use a tool they already have.
How may I help you today?
I'm going log in to your email and send your mother all the gay porn I can find.
That would be found in a tarball of your home directory.
Trolling is a art,
Real men use telnet for every IP session.
Same for me -- important passwords, like my bank's online account access, I never allow anything to save, not even Firefox.
It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
Yeah, it's the same issue. On the plus side, they don't link to the same article (unless you count the fact that this one links to an article that links to the article from the old one)
It's not possible for websites to steal saved passwords from other websites; it's only possible to steal a password if Firefox auto-fills a password field, and obviously this only occurs if you're on website you saved the password for in the first place.
Reading my list of saved passwords; my company intranet sites aren't vulnerable, my bank website isn't vulnerable, my shopping sites aren't vulnerable. All that is vulnerable are forum websites, and that's only if someone finds a way to inject Javascript, which is normally stripped out by all of them.
I don't think it's possible to avoid this without serious hijinks to the DOM; it has always been possible to inspect the current contents of form inputs, including password inputs.
Very funny you jerk! You steal my password, then mock me on my slashdot account! Is there an admin around? -The Real Normal Dan
It's not a vulnerability ... it's a IE migration to Firefox feature!
"Keep at least 3-6 full bottles of hard alcohol on hand, a 2 week resignation notice,..." - Poetmatt
How is this news again? If you have enough knowledge to post a slashdot article, its certainly not your first time here, and one would hope you saw the SAME issue from 3-6 days ago.
This is Slashdot! Give me the latest gadget, bug, or OS project! This ain't english class so don't confuse the two!
Ah yes, the old "you are an idiot if you don't do things the way I do them" argument. Are we grumpy because we are out of Clearasil today? Or did mommy start asking for basement rent?
link?
Firefox's password file has never been in plain text, although if you don't specify a master password, the decryption key is stored in the same directory, so the encryption will only stop casual opportunists.
Meh, if someone has access to my computer physically anyways they can get all my passwords by installing a keylogger anyways. The vulnerability only affects the sites that let people post custom html/javascript. Those sites are just social sites like myspace and other stuff and who cares if someone gets your password for that.
This isn't theft, it's liberation! Information (including passwords) wants to be free!
"Ask not what your country can do for you." --John F. Kennedy
On the subject of Jasascript-enabled security holes, I use Javascript because so many sites depend on it, but block all scripts using NoScript until I decide to trust the domain of origin of the script. What I'd really like is a NoScript that will let me look at the script's source code before I decide to trust it, and allow/deny scripts on a per-script rather than per-domain basis.
That said, is there a good Add-on for Firefox that handles password-management more securely? Something that keeps them stored in an encrypted format would be a step in the right direction.
You see? You see? Your stupid minds! Stupid! Stupid!
I knew Post It Notes were more secure!
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
wrong.
5 2215
http://it.slashdot.org/article.pl?sid=07/07/20/12
Who modded the parent post "Insightful", and why? It is a one line blanket statement cast against millions of people without discussion or foundation. I hope someone takes away your mod points.
If you use many websites that require you to log in you don't have many options. You could use one password for all of them, in which case a breach on one account by an attacker essentially breaches all other accounts that they discover, or you can use unique passwords on each site, in which case it soon becomes impossible to remember them all accurately - especially for sites that you don't use very often. Additionally, some sites have rules around the number of upper case characters, special characters, digits, etc. in passwords, and these can be particularly difficult to remember.
Certainly people are foolish if they store logins for bank accounts and the like in the password manager, but most people only have one or two really important logins.
People who use the remember passwords functions are not idiots. People who expect the "remember passwords" functionality to be secure are not idiots either - if an application used by millions includes such functionality one would expect the developers to have secured it.
https://addons.mozilla.org/en-US/firefox/addon/442 9 Secure Login Lots and lots of settings for every taste
Secure Login
Sure, it's a big issue, yet how many peope actually use the "remember my password" feature? I just usually check the "remember me" box near the login and password entering fields, or enter my passwords manually.
You'd probably begin to care after someone "hacks" your MySpace page and posts distasteful or illegal language or images. Explaining all of that to a police officer or a judge and jury is rife with peril.
But the other point I think is pertinent here is that Firefox is really going for the common man crowd -- you don't buy a full-page ad in the New York Times if you want only geeks. So knowing that the average joe will be using Firefox and will happily save sensitive information if encouraged to do so (as one is with Firefox), that particular feature really has to be pretty rock-solid (or at the very least, not vulnerable to a pretty basic and classic javascript exploit).
Don't get me wrong -- I love Firefox and use it almost exclusively. But this is the kind of thing that, whether truly a hazard to most users or not, can scare people away if it is carelessly presented to the public. Or if it really is a risk.
It is pitch black. You are likely to be eaten by a grue.
Now why any of it is Firefox specific? Any browser/ browser-helper-object /password help toolbar would do the same. If you have only one user name for a site, firefox will pre-fill the field. And the javascript can read it without a get or post. I would guess this behaviour of prefilling when the username is unique is probably a Firefox thing.
Generally sites that allow users to post javascript code would be dangerous and should not be visited. But I would not know a priori these sites.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I use FireFox for 95% of my browsing (mainly because of no ActiveX and AdBlock Plus, but I've always wondered if being open source means that code monkeys can write script to steal password just by simply knowing how the browser works...not by taking advantage of a published security hole...
Please, isn't it the site's vulnerability and not Firefox'es, eh?!!
If a site owner tells me it's my browser's fault that their users can change their site's behaviour, and s/he are not going to do anything about it, I'll leave the damn site.
In most cases a vulnerability like this will not significantly increase your risk of exploitation as most web sites store passwords in cookies anyway, which are supposed to be readable by javascript from the originating site. If I can run a script on a myspace profile that you visit I can get your password from the cookie that myspcace stores on your machine.
Why do idiots still spread the FUD that it is bad or a "security threat" to use their credit card online? You are perfectly safe. If someone does steal and use your number you are only responsible for the first $50, and every bank I've ever dealt with if waive that. Idiots like you are the reason it took me so long to convince my mom not use use PERSONAL CHECKS an eBay. Because of the FUD about credit cards, I had a hard time explaining to her that they were MUCH safer than checks! You are MORE vulnerable using your credit card in a "real" store than online.
I actually think gp is right to one extent.
For the sites I don't care about I use the same generic old password that I have used from 2003, I mean, if they are stolen I just risk a bunch of of dummy email addresses and other crappy services I don't really care too much about. For the things that matter I keep though and strong passwords that I better remember and not "write them down" or let a browser keep them... Often things that matter are just 3 so memory is not an obstacle...
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Safari also vulnerable...
Not only that, but when they use the free passwords, it's not identity theft, it's identity infringement.
Err, I don't know about myspace, but any half-decently programmed website (hopefully the majority) won't be storing anything in your cookies other than trivial configurations preferences and a session key. Certainly not your password. While it's possible to hijack the session by reading the session key (and there are ways of preventing that on the server side too), that won't get you the user's password. Unless the site in question is incredibly badly programmed, in which cae you're probably lost anyway.
a) If it is your machine you could just as well use a PGP encrypoted text file. If the website in question is still vulnerable, then it is a problem with the website, and changing browser won't help you.
b) If it is not your machine, or if you think your machine is compromised, then you really shouldn't be typing your passwords in it to begin with.
Seriously, find a strong passphrase and store the damn password list as a PGP encyrpted file on a USB pen drive. Only decrypt it on machines you trust. If you still lose your password then you either typed it into a compromised machine ( meaning you're fucked anyway ), you were victim to a man in the middle attack ( meaning you're fucked anyway ) or there was a vulnerability on the server side ( meaning you're fucked anyway ).
Personally I don't trust a whole lot of websites to secure their own systems so I don't use my root or e-mail password for my facebook account...
keeps it much easier for all my sites, except my bank for which I use Pa$$word. I trust you guys here not to spread this around.
Help end the use of Sigs. Tomorrow
The Great Law of Computer Security: Networked computers are insecure by nature. Everything that is stored within a networked computer can and will be compromised. Corollary: Always use a non-networked computer to store critical data, or better yet, no computer at all; a piece of paper inside your wallet is probably safer at most situations. Shortened version: Distrust all computers.
I have found all versions of FF from 1.0 to 2.0.0.4 tend to sometimes store a password unasked, and then automatically fill in the password (but not the username) on my next visit to the site.
I have never heard of anyone else having this problem, and I cannot reliably reproduce it, but it does happen occasionally.
ftp://127.0.0.1/home
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Since then I've been using supergenpass which allows you to have a unique password for each web site generated using a master password and a hash of the domain.
I no longer save passwords in firefox, and the passwords used on websites are nicely random too. Moreover, I only need to remember my master password and so can use any computer.
You're right -- I'm not arguing anything on behalf of other browsers (particularly IE -- as a guy who lives and breathes CSS all day, that alone has me hating IE). I'm just saying that the anyman's browser needs to provide protection IF it offers it. You could certainly make the password saving function an option you turn on instead of have to turn off. But that kind of hides it from new users who don't know where to look (or that there's anything to look for). I think better encryption defaults (like the creation of an administrative password as mentioned elsewhere) might be a better tactic.
It is pitch black. You are likely to be eaten by a grue.
Why must every decision either be the best, most secure, or one made by an idiot? Aren't there decisions that may not be the ideal or may have some downsides to that aren't made by idiots?
If it has anything to do with money, or some place where I can be made to look like an idiot, I don't. If it's one of my travel agency sites, why not? The only thing you can do is book some travel, and I get the commission.
Is there some reason that Firefox thought it was a good idea to automatically populate passwords for the user?
It just seems to me like better design to require some sort of user interaction before coughing up a password.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Since disabling JavaScript really isn't an option these days, I guess my question is: Do using a Master Password (like I do) really protect you and will somebody from Mozilla comment, please. Seriously, since the advent of an integrated Master Password I've been letting my web browser remember passwords for me, but really put a dent in my confidence.
- I voted for Nintendo and against Bush
set signon.prefillForms to false
Ohmygod. Dupes belong to the culture of Slashdot, they are the cherry on the cake for all the people who don't get a message at the first time, or who make a living pointing out dupes on /.
For what it's worth, messages with a subject ~ "*[Dd]upe*\!" are the most common dupes, and should be avoided at all cost.
We should stop pointing out dupes and start slashing non-dupes. That would reduce the traffic by at least 24.3% and would allow /. to postpone the next harddisk purchase by a month or two, or one could purchase 750GB instead of 1TB disks.
open (SIG, "</dev/zero"); $sig = <SIG>; close SIG;
How to solve: Do the opposite of what's done with input type=file
With input type=file, the script cannot write the value, and changing it to this from another type clears the value. With input type=password, have it so that changing it _from_ password _to_ another type clears the value, and so that the script cannot _read_ the value.
We've secretly replaced Slashdot with new Folgers Crystals - let's see if it notices.
As long as no one figures out an exploit wherein the hacker can turn on my webcam and point it at the yellow sticky notes stuck to the side of my monitor, they'll never get my passwords.
"Flag on the moon. How did it get there?"
This exploit involves users visiting a malicious website. To learn more about this exploit, click here.
The Right Reverend K. Reid Wightman,
to allow any APPLICATION to remember my passwords...
That's what my brain is for. And for those of you without brains - and you know who you are - there are encrypted password managers for that.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
> You are MORE vulnerable using your credit card in a "real" store than online.
Care to back that up?
Max.
God, I wish everyone would just switched over to OpenID and be done with it. One password for everything? Sign me up! (Well, I already have). Now I'm just waiting/hoping it'll gain critical mass and start being implemented into every site.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
- Open browser
- Click on MySpace bookmark
- Enter master password to login to myspace
- Visit joebob's page, which has javascript to steal your password
- pwn3d
If you're on the site with the vulnerability, you probably already entered your master password to login, and you only have to do that once per session to use all of your passwords.IF you password protect your master password list then when you go to the "evil page" it will pop up a window asking for your master password. Furthermore to protect yourself even more you can install this plugin Master Password Timeout and set your password to time out after a very short period of time. This way every page you go to during your session that has a login you will have to enter you master password again anew.
Is this a fix. No. Does this work on all OS's yes.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
Back in the day when I got my first sparkling new Windows PC, it had this great feature called an address book, built in and waiting eagerly to save all the email addresses of the friends I sent email to. At the same time I got that Windows PC onto the internet by the new modern 32kb/sec dialup connection I had, I was hearing/reading about how viruses could be used to "read" the contents of my address book for infecting/spamming purposes.
So I never used it.
I apply the same principle to web browsers of all flavours which offer to "save" my passwords. Not hard is it?
If you really, seriously can't remember UID/Passwords for websites, keep a small notebook handy (and safe).
Don't blame me, it's usually 2 in the morning when I post