Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari and Chrome: Tied For the Worst Password Manager

Posted by CmdrTaco on from the remember-this dept.

Startled Hippo writes "Safari and Chrome are tied for the worst password manager built into a major Web browser, according to a new study on the issue produced by Chapin Information Services. One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site. The bug has been fixed in Firefox, but Chrome and Safari are still vulnerable to this kind of attack."

13 of 218 comments (clear)

  1. users can be tricked too... by Anonymous Coward · · Score: 5, Funny

    http://www.bash.org/?244321

  2. Aha! by fbish · · Score: 5, Funny

    Luckikly, all my passwords are exactly the same, so I'm fine.

    1. Re:Aha! by fbish · · Score: 5, Funny

      Luckily, I also cannot spell.

  3. I Use A Mac... by Telephone+Sanitizer · · Score: 5, Funny

    ...So I'm safe, right? ;-)

    1. Re:I Use A Mac... by goombah99 · · Score: 5, Informative

      macs do get credit for putting the passwords where they belong: in a centralized password keychain. Firefox rolls it's own separate password manager. At various time firefox's keychain has been found to be insecure and it's separate from your other keychains. There's no simple keychain brownser interface like the centralized keychain protection system safari uses.

      If you want to encrypt or hide or transport all your passwords it's easy in safari but hard in firefox since how it's done changes.

      --
      Some drink at the fountain of knowledge. Others just gargle.
    2. Re:I Use A Mac... by Jugalator · · Score: 5, Interesting

      Isn't it time Firefox supported the Mac Keychain? :-/

      --
      Beware: In C++, your friends can see your privates!
  4. Why focus on Chrome? by myxiplx · · Score: 5, Insightful

    To be honest, when the best browser is only scoring 7/21 they *all* need some work. Focusing on Chrome just means you're ignoring the bigger picture.

    1. Re:Why focus on Chrome? by tomknight · · Score: 5, Insightful

      You're assuming that the metric used by this company/person actually means something...

      --
      Oh arse
  5. Before someone asks by Opportunist · · Score: 5, Informative

    "How can this be exploited" when some subtree memeber of a domain can read credentials that should only be given to the top level member, read http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug.

    To save the others the hassle, allow me to sketch something. It's trivial to get the domain a000001.amazon.com under your control. It is, believe me, if you don't, just read it up. Well, maybe not exactly a0000001... but something to the quality of $foo.amazon.com can easily be made to point back to a webpage you control.

    Next, create a page for the internets most sought after resource: pr0n. Do like the missionaries, spread the word, unlike them you have ICQ and spam at your disposal to get people to visit your page. On this page, refer to $foo.amazon.com

    Then have $foo.amazon.com ask for the credentials.

    It's not so much that the threat of hijacking a "real" domain name (i.e. amazon.com itself) is too big after a few ISPs toughened their DNS lookups when the patches didn't come quickly. Few ISPs are left that are actually vulnerable to having their caches completely rewritten. Subdomains can still be hijacked (even after the half-assed patch we got lately), and in combination with browsers that send credentials to whatever subdomain, it's a serious security problem.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. Is this really worth noting? by tomknight · · Score: 5, Insightful
    "Chapin Information Services."

    Who??

    Seriously, this looks like a typical "storm in a teacup to get people to take me seriously as a security researcher" notification.

    Who here really lets any password manager save any password they care about? I have Opera save details for systems that don't matter, everything else I just remember.

    Check out the website for more information about this astounding company.

    --
    Oh arse
  7. Comment removed by account_deleted · · Score: 5, Funny

    Comment removed based on user account deletion

  8. I should get out more often... by jonaskoelker · · Score: 5, Funny

    http://www.bash.org/?244321

    I don't need to go there. I know the answer is "hunter2" (if you're the guy, I just copy-pasted the ***s from bash.org, that's why it shows up as hunter2 on your screen).

    Is that a sign I should get out more often? ;)

  9. Re:Never use password managers by poopdeville · · Score: 5, Funny

    I often leave notes for desk-Nazi's like you: "e@t_a_d1ck" or "Stop looking under my keyboard, asshole"

    --
    After all, I am strangely colored.