Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Vulnerability In Firefox 2.0.0.5

Posted by CmdrTaco on from the waiting-for-the-patch-boys dept.

Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."

12 of 176 comments (clear)

  1. Dupe? by InvisblePinkUnicorn · · Score: 5, Informative

    Three days ago: http://it.slashdot.org/article.pl?sid=07/07/20/125 2215

  2. Re:Is this OS independent? by Compholio · · Score: 5, Informative

    I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?
    I can confirm that it works on Linux.
  3. Re:Password Remember Function by SatanicPuppy · · Score: 5, Insightful

    Eh. Depends on what passwords you set it to remember. There are a ton of BS passwords that I don't give a damn if someone steals.

    Like anywhere else, you need to make a trade off between usability and security. Sure, it's not perfectly secure, but it's not worth it to me to have to remember the one off junk password I made up for NYTimes.com.

    The real issue, as usual, is javascript. I use "NoScript" and am careful about which sites I allow to execute scripts at all. That will do more for your security than anything else.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  4. NoScript by grub · · Score: 5, Informative

    NoScript
    Repeat ad nauseum.

    --
    Trolling is a art,
    1. Re:NoScript by Bacon+Bits · · Score: 5, Insightful

      NoScript is a horrible fix for this, because NoScript and the password manager use the same method to determine what is safe: the domain name of the server.

      If I go to, say, Blogspot.com with FF and I'm a member, I probably log in and save my password with FF. If I have NoScript and I visit the page frequently and post lots of comments, I also probably have blogspot.com on the trusted site list. If I go to a malicious blog (well, alright, a blog that exploits this vulnerability -- they're all malicious) then a) I'll be on a site that the password manager trusts and I'll be on a site that NoScript trusts.

      --
      The road to tyranny has always been paved with claims of necessity.
  5. Re:Is this OS independent? by Mr.+Sketch · · Score: 5, Informative

    From what I read, yes. It only exposes passwords for the site you're visiting. The most common case of this is on myspace, where visiting a malicious website will transfer your myspace username/password to the website owner. This vulnerability exists on sites that allow users to post custom html and javascript and will expose your username and password for that site.

    This does not expose all your passwords, so if you have you bank password stored, it's safe, unless your bank has pages that allow users to post custom html and javascript.

    --
    Things you think are in the Constitution, but are not.
  6. Re:Do not save passwords by Mascot · · Score: 5, Insightful
    That's what the "Master Password" option is for.

    Use a master password

            Firefox can protect sensitive information such as saved passwords
            and certificates by encrypting them using a master password. If you create a
            master password, each time you start Firefox, it will ask you to enter
            the password the first time it needs to access a certificate or stored
            password.
  7. Passwords in general by the.nourse.god · · Score: 5, Insightful

    And this is why I save all of my passwords in IE

    This is why we need something better that text passwords for authentication on the web. Most people can't remember all the passwords they use on every site they go to. To cope with this, Average Users do either one of two things - use the password remembering method in their browser of choice or use the same (weak) password for everything. Granted, there are some decent password management utilities out there, but your Average User would rather use a tool they already have.

    --
    How may I help you today?
  8. Please Help!! by The+Real+Normal+Dan · · Score: 5, Funny

    Very funny you jerk! You steal my password, then mock me on my slashdot account! Is there an admin around? -The Real Normal Dan

  9. Re:Wimp by Anonymous Coward · · Score: 5, Funny

    i just attach the cables to my nipples and decode the packets manually.

  10. Re:Wimp by rleibman · · Score: 5, Funny

    i just attach the cables to my nipples and decode the packets manually.

    Yeah, but can you generate outbound traffic?

  11. Re:Is this OS independent? by RealGrouchy · · Score: 5, Funny

    I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable? I can confirm that it works on Linux. TFA, or the vulnerability?

    - RG>
    --
    Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!