Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Vulnerability In Firefox 2.0.0.5

Posted by CmdrTaco on from the waiting-for-the-patch-boys dept.

Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."

32 of 176 comments (clear)

  1. Is this OS independent? by sexybomber · · Score: 4, Interesting

    I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?

    1. Re:Is this OS independent? by Compholio · · Score: 5, Informative

      I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?
      I can confirm that it works on Linux.
    2. Re:Is this OS independent? by Mr.+Sketch · · Score: 5, Informative

      From what I read, yes. It only exposes passwords for the site you're visiting. The most common case of this is on myspace, where visiting a malicious website will transfer your myspace username/password to the website owner. This vulnerability exists on sites that allow users to post custom html and javascript and will expose your username and password for that site.

      This does not expose all your passwords, so if you have you bank password stored, it's safe, unless your bank has pages that allow users to post custom html and javascript.

      --
      Things you think are in the Constitution, but are not.
    3. Re:Is this OS independent? by slagell · · Score: 3, Insightful

      Or unless you use the same password for myspace and a bunch of other places

    4. Re:Is this OS independent? by PPH · · Score: 4, Funny

      Memo to self: Take my /. password, 'ImADork' off my bank account.

      --
      Have gnu, will travel.
    5. Re:Is this OS independent? by snowgirl · · Score: 4, Informative

      Actually you're safe if you use a master password with your password manager.


      Well this story kind of points out why obviously, this statement isn't necessarily true.
      --
      WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
    6. Re:Is this OS independent? by Anonymous Coward · · Score: 3, Funny

      I already changed your bank password for ya.

      Dork.

    7. Re:Is this OS independent? by RealGrouchy · · Score: 5, Funny

      I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable? I can confirm that it works on Linux. TFA, or the vulnerability?

      - RG>
      --
      Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
  2. Dupe? by InvisblePinkUnicorn · · Score: 5, Informative

    Three days ago: http://it.slashdot.org/article.pl?sid=07/07/20/125 2215

  3. Re:Password Remember Function by SatanicPuppy · · Score: 5, Insightful

    Eh. Depends on what passwords you set it to remember. There are a ton of BS passwords that I don't give a damn if someone steals.

    Like anywhere else, you need to make a trade off between usability and security. Sure, it's not perfectly secure, but it's not worth it to me to have to remember the one off junk password I made up for NYTimes.com.

    The real issue, as usual, is javascript. I use "NoScript" and am careful about which sites I allow to execute scripts at all. That will do more for your security than anything else.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  4. Or Firefox for that matter by benhocking · · Score: 3, Funny

    All the truly intelligent people use Lynx.

    --
    Ben Hocking
    Need a professional organizer?
  5. Low security passwords by benhocking · · Score: 3, Funny

    Eh. Depends on what passwords you set it to remember. There are a ton of BS passwords that I don't give a damn if someone steals.
    Absolutely. My Slashdot password, for example, is one that I allow Firefox to remember. Er, not that I'm claiming Slashdot is BS or anything. ;)
    --
    Ben Hocking
    Need a professional organizer?
  6. NoScript by grub · · Score: 5, Informative

    NoScript
    Repeat ad nauseum.

    --
    Trolling is a art,
    1. Re:NoScript by Bacon+Bits · · Score: 5, Insightful

      NoScript is a horrible fix for this, because NoScript and the password manager use the same method to determine what is safe: the domain name of the server.

      If I go to, say, Blogspot.com with FF and I'm a member, I probably log in and save my password with FF. If I have NoScript and I visit the page frequently and post lots of comments, I also probably have blogspot.com on the trusted site list. If I go to a malicious blog (well, alright, a blog that exploits this vulnerability -- they're all malicious) then a) I'll be on a site that the password manager trusts and I'll be on a site that NoScript trusts.

      --
      The road to tyranny has always been paved with claims of necessity.
  7. Re:Do not save passwords by Mascot · · Score: 5, Insightful
    That's what the "Master Password" option is for.

    Use a master password

            Firefox can protect sensitive information such as saved passwords
            and certificates by encrypting them using a master password. If you create a
            master password, each time you start Firefox, it will ask you to enter
            the password the first time it needs to access a certificate or stored
            password.
  8. Passwords in general by the.nourse.god · · Score: 5, Insightful

    And this is why I save all of my passwords in IE

    This is why we need something better that text passwords for authentication on the web. Most people can't remember all the passwords they use on every site they go to. To cope with this, Average Users do either one of two things - use the password remembering method in their browser of choice or use the same (weak) password for everything. Granted, there are some decent password management utilities out there, but your Average User would rather use a tool they already have.

    --
    How may I help you today?
  9. Re:Do not save passwords by dvice_null · · Score: 3, Informative

    Passwords are not in plain text, but readable with Firefox.

    You can set master password to truely encrypt them. But if you let people to access your harddrive, you can install keyloggers to steal the master password also. Or any password, no matter do you save it or not.

  10. Re:Wimp by dattaway · · Score: 4, Funny

    telnet is for weenies.

    netcat is for men.

  11. Please Help!! by The+Real+Normal+Dan · · Score: 5, Funny

    Very funny you jerk! You steal my password, then mock me on my slashdot account! Is there an admin around? -The Real Normal Dan

  12. FUD by jrumney · · Score: 4, Informative

    Firefox's password file has never been in plain text, although if you don't specify a master password, the decryption key is stored in the same directory, so the encryption will only stop casual opportunists.

  13. Stealing passwords? Hardly... by goldspider · · Score: 4, Funny

    This isn't theft, it's liberation! Information (including passwords) wants to be free!

    --
    "Ask not what your country can do for you." --John F. Kennedy
  14. Re:Wimp by Anonymous Coward · · Score: 5, Funny

    i just attach the cables to my nipples and decode the packets manually.

  15. Re:Password Remember Function by Tridus · · Score: 4, Funny

    I knew Post It Notes were more secure!

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
  16. Re:Password Remember Function by DigitAl56K · · Score: 4, Insightful

    Who modded the parent post "Insightful", and why? It is a one line blanket statement cast against millions of people without discussion or foundation. I hope someone takes away your mod points.

    If you use many websites that require you to log in you don't have many options. You could use one password for all of them, in which case a breach on one account by an attacker essentially breaches all other accounts that they discover, or you can use unique passwords on each site, in which case it soon becomes impossible to remember them all accurately - especially for sites that you don't use very often. Additionally, some sites have rules around the number of upper case characters, special characters, digits, etc. in passwords, and these can be particularly difficult to remember.

    Certainly people are foolish if they store logins for bank accounts and the like in the password manager, but most people only have one or two really important logins.

    People who use the remember passwords functions are not idiots. People who expect the "remember passwords" functionality to be secure are not idiots either - if an application used by millions includes such functionality one would expect the developers to have secured it.

  17. Re:Password Remember Function by eck011219 · · Score: 4, Insightful
    There are a couple issues here. First of all ...

    Those sites are just social sites like myspace and other stuff and who cares if someone gets your password for that.

    You'd probably begin to care after someone "hacks" your MySpace page and posts distasteful or illegal language or images. Explaining all of that to a police officer or a judge and jury is rife with peril.

    But the other point I think is pertinent here is that Firefox is really going for the common man crowd -- you don't buy a full-page ad in the New York Times if you want only geeks. So knowing that the average joe will be using Firefox and will happily save sensitive information if encouraged to do so (as one is with Firefox), that particular feature really has to be pretty rock-solid (or at the very least, not vulnerable to a pretty basic and classic javascript exploit).

    Don't get me wrong -- I love Firefox and use it almost exclusively. But this is the kind of thing that, whether truly a hazard to most users or not, can scare people away if it is carelessly presented to the public. Or if it really is a risk.
    --
    It is pitch black. You are likely to be eaten by a grue.
  18. Is it Firefox specific? by 140Mandak262Jamuna · · Score: 3, Informative
    From what I understand, the user visits a site and the browser dishes out the remembered username password to that site. Whenever that site requests the username and password, the browser would do so. If the site allows anyvisitor to post javascript code and it incorporates such posted code as part of its own page, then the user too can use javascript to request the username/password and use javascript to phone home.

    Now why any of it is Firefox specific? Any browser/ browser-helper-object /password help toolbar would do the same. If you have only one user name for a site, firefox will pre-fill the field. And the javascript can read it without a get or post. I would guess this behaviour of prefilling when the username is unique is probably a Firefox thing.

    Generally sites that allow users to post javascript code would be dangerous and should not be visited. But I would not know a priori these sites.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  19. Re:Do not save passwords by strobert · · Score: 4, Informative

    In addition if you run with Noscript and Secure Login it really helps protect you. The former can let you disable javascript (and java/flash too) by default and only enable for sites you trust. The later makes it so that for remembered passwords firefox does not fill in the form. Instead it highlights the fields it would fill in and you have to hit the secure login button to post the form data. Makes it so that you know when you saved passwords are being used and bypasses the input flow so that keyloggers can't even record the data.

    I would also recommend installing "Master Password Timeout" which will re-prompt you periodically for the password.

  20. Safari by ens0niq · · Score: 3, Interesting

    Safari also vulnerable...

    1. Re:Safari by pherthyl · · Score: 3, Interesting

      Interestingly enough, Konqueror/KHTML (on which Safari is based) is not vulnerable (just tried the demo). It does password saving as well, but apparently have found a way to avoid the problem.

  21. Re:Do not save passwords by eln · · Score: 4, Funny

    Pretty much all text is plane text. Unless it's 3 dimensional I guess.

  22. Re:Wimp by rleibman · · Score: 5, Funny

    i just attach the cables to my nipples and decode the packets manually.

    Yeah, but can you generate outbound traffic?

  23. Oh really? by jgoemat · · Score: 3, Informative
    How are you safe?
    1. Open browser
    2. Click on MySpace bookmark
    3. Enter master password to login to myspace
    4. Visit joebob's page, which has javascript to steal your password
    5. pwn3d
    If you're on the site with the vulnerability, you probably already entered your master password to login, and you only have to do that once per session to use all of your passwords.