Slashdot Mirror
Password Vulnerability In Firefox 2.0.0.5
Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."
I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?
Three days ago: http://it.slashdot.org/article.pl?sid=07/07/20/125 2215
Eh. Depends on what passwords you set it to remember. There are a ton of BS passwords that I don't give a damn if someone steals.
Like anywhere else, you need to make a trade off between usability and security. Sure, it's not perfectly secure, but it's not worth it to me to have to remember the one off junk password I made up for NYTimes.com.
The real issue, as usual, is javascript. I use "NoScript" and am careful about which sites I allow to execute scripts at all. That will do more for your security than anything else.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
All the truly intelligent people use Lynx.
Ben Hocking
Need a professional organizer?
Ben Hocking
Need a professional organizer?
NoScript
Repeat ad nauseum.
Trolling is a art,
And this is why I save all of my passwords in IE
This is why we need something better that text passwords for authentication on the web. Most people can't remember all the passwords they use on every site they go to. To cope with this, Average Users do either one of two things - use the password remembering method in their browser of choice or use the same (weak) password for everything. Granted, there are some decent password management utilities out there, but your Average User would rather use a tool they already have.
How may I help you today?
Passwords are not in plain text, but readable with Firefox.
You can set master password to truely encrypt them. But if you let people to access your harddrive, you can install keyloggers to steal the master password also. Or any password, no matter do you save it or not.
Real men use telnet for every IP session.
Yeah, it's the same issue. On the plus side, they don't link to the same article (unless you count the fact that this one links to an article that links to the article from the old one)
It stores the password in plane text (at least it used to) for anyone with physical access to see if they know where to look (and it's not hard to figure out where to look). I have stolen many a passwords this way. It is worse than writing your password down and putting it in your desk.
Even worse, because it uses plane text, you are helping the terrorists, who can now hijack your passwords and fly them into skyscrapers!
Very funny you jerk! You steal my password, then mock me on my slashdot account! Is there an admin around? -The Real Normal Dan
How is this news again? If you have enough knowledge to post a slashdot article, its certainly not your first time here, and one would hope you saw the SAME issue from 3-6 days ago.
This is Slashdot! Give me the latest gadget, bug, or OS project! This ain't english class so don't confuse the two!
Firefox's password file has never been in plain text, although if you don't specify a master password, the decryption key is stored in the same directory, so the encryption will only stop casual opportunists.
This isn't theft, it's liberation! Information (including passwords) wants to be free!
"Ask not what your country can do for you." --John F. Kennedy
I knew Post It Notes were more secure!
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
Who modded the parent post "Insightful", and why? It is a one line blanket statement cast against millions of people without discussion or foundation. I hope someone takes away your mod points.
If you use many websites that require you to log in you don't have many options. You could use one password for all of them, in which case a breach on one account by an attacker essentially breaches all other accounts that they discover, or you can use unique passwords on each site, in which case it soon becomes impossible to remember them all accurately - especially for sites that you don't use very often. Additionally, some sites have rules around the number of upper case characters, special characters, digits, etc. in passwords, and these can be particularly difficult to remember.
Certainly people are foolish if they store logins for bank accounts and the like in the password manager, but most people only have one or two really important logins.
People who use the remember passwords functions are not idiots. People who expect the "remember passwords" functionality to be secure are not idiots either - if an application used by millions includes such functionality one would expect the developers to have secured it.
Secure Login
You'd probably begin to care after someone "hacks" your MySpace page and posts distasteful or illegal language or images. Explaining all of that to a police officer or a judge and jury is rife with peril.
But the other point I think is pertinent here is that Firefox is really going for the common man crowd -- you don't buy a full-page ad in the New York Times if you want only geeks. So knowing that the average joe will be using Firefox and will happily save sensitive information if encouraged to do so (as one is with Firefox), that particular feature really has to be pretty rock-solid (or at the very least, not vulnerable to a pretty basic and classic javascript exploit).
Don't get me wrong -- I love Firefox and use it almost exclusively. But this is the kind of thing that, whether truly a hazard to most users or not, can scare people away if it is carelessly presented to the public. Or if it really is a risk.
It is pitch black. You are likely to be eaten by a grue.
Now why any of it is Firefox specific? Any browser/ browser-helper-object /password help toolbar would do the same. If you have only one user name for a site, firefox will pre-fill the field. And the javascript can read it without a get or post. I would guess this behaviour of prefilling when the username is unique is probably a Firefox thing.
Generally sites that allow users to post javascript code would be dangerous and should not be visited. But I would not know a priori these sites.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
In addition if you run with Noscript and Secure Login it really helps protect you. The former can let you disable javascript (and java/flash too) by default and only enable for sites you trust. The later makes it so that for remembered passwords firefox does not fill in the form. Instead it highlights the fields it would fill in and you have to hit the secure login button to post the form data. Makes it so that you know when you saved passwords are being used and bypasses the input flow so that keyloggers can't even record the data.
I would also recommend installing "Master Password Timeout" which will re-prompt you periodically for the password.
Why do idiots still spread the FUD that it is bad or a "security threat" to use their credit card online? You are perfectly safe. If someone does steal and use your number you are only responsible for the first $50, and every bank I've ever dealt with if waive that. Idiots like you are the reason it took me so long to convince my mom not use use PERSONAL CHECKS an eBay. Because of the FUD about credit cards, I had a hard time explaining to her that they were MUCH safer than checks! You are MORE vulnerable using your credit card in a "real" store than online.
It also means that bugs get fixed faster and that if mozilla stops supporting a platform someone else can, and that we can have things like swiftfox available, so I think it is a good trade.
But security through obscurity doesn't really work too well anyways...
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Safari also vulnerable...
Possibly, but how many bugs have been exploited in Firefox because of being able to view the source code and how many would have been picked up by a closed-source 'fuzzing' anyway?
This one was a "how the browser works" based on visible behaviour, so it would have been found in a closed-source app as well.
Pretty much all text is plane text. Unless it's 3 dimensional I guess.
Why must every decision either be the best, most secure, or one made by an idiot? Aren't there decisions that may not be the ideal or may have some downsides to that aren't made by idiots?
Did I detect a hint of sarcasm? Well then let me explain it for you.
Suppose you signup for online banking and setup a password. Then you signup for some stupid website and use the same password. The problem is, you don't know if you can trust that 2nd site with your online banking password. They may just be phishing for passwords. Or maybe they are honest but incompetent enough to store your password in the DB in plain text, conveniently waiting there for the next hacker to locate.
The solution: Use separate passwords for the 2 sites? But then how do you start partitioning things? Do all the banking sites get the same password, your email a different password, you photo website a separate password, etc? Can you even trust all banks to have the same password? Perhaps it would be safer to use a different password for each one.
By now you are looking at dozens of different passwords. Trouble is...how do you remember them all? Write them all down? Thats a big no-no. However, what if you put them in a text file and then encrypted the file? Now you only have to remember 1 thing...the decryption key, and that NEVER has to be given to anyone.
But no, I guess sarcastic mocking is funner, isn't it?
- Open browser
- Click on MySpace bookmark
- Enter master password to login to myspace
- Visit joebob's page, which has javascript to steal your password
- pwn3d
If you're on the site with the vulnerability, you probably already entered your master password to login, and you only have to do that once per session to use all of your passwords.