Password Vulnerability In Firefox 2.0.0.5

Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."

Is this OS independent?

[sexybomber (740588)]

I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?

Re:Is this OS independent?

[Compholio (770966)]

I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?

I can confirm that it works on Linux.

Re:

[jsse (254124)]

I can confirm that it works on AmegaOS, Atrai, Sinclair ZX81 and PDP too.

Well...actually I can't. If you excuse me, I'll go back to my corner where I can dialog with my shadow.

Re:Is this OS independent?

[RealGrouchy (943109)]

I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?

I can confirm that it works on Linux.

TFA, or the vulnerability?

- RG>

Re:Is this OS independent?

[Mr. Sketch (111112)]

From what I read, yes. It only exposes passwords for the site you're visiting. The most common case of this is on myspace, where visiting a malicious website will transfer your myspace username/password to the website owner. This vulnerability exists on sites that allow users to post custom html and javascript and will expose your username and password for that site.

This does not expose all your passwords, so if you have you bank password stored, it's safe, unless your bank has pages that allow users to post custom html and javascript.

Re:

[slagell (959298)]

Or unless you use the same password for myspace and a bunch of other places

Re:Is this OS independent?

[PPH (736903)]

Memo to self: Take my /. password, 'ImADork' off my bank account.

Re:

[by Anonymous Coward]

I already changed your bank password for ya.

Dork.

Re:

[rapidweather (567364)]

..and allow Firefox to remember your passwords..

In Rapidweather Remaster of Knoppix Linux [geocities.com], my livecd linux distro, I always set up Firefox _not_ to remember passwords.
I put Firefox 2.0.0.5 in the Remaster [blogspot.com] just last week.
Also, when the user closes Firefox, I have it set up so the entire ~/.mozilla is deleted. I presume that is where any password would reside. In the event of a Firefox crash, the ~/.mozilla is not deleted without an OK from the user. There is a dialog box that comes up and asks "Did you want

Re:Is this OS independent?

[snowgirl (978879)]

Actually you're safe if you use a master password with your password manager.

Well this story kind of points out why obviously, this statement isn't necessarily true.

Oh really?

[jgoemat (565882)]

How are you safe?

1. Open browser
2. Click on MySpace bookmark
3. Enter master password to login to myspace
4. Visit joebob's page, which has javascript to steal your password
5. pwn3d

If you're on the site with the vulnerability, you probably already entered your master password to login, and you only have to do that once per session to use all of your passwords.

Dupe?

[InvisblePinkUnicorn (1126837)]

Three days ago: http://it.slashdot.org/article.pl?sid=07/07/20/125 2215 [slashdot.org]

Dupe? Of course!

[IBBoard (1128019)]

Yeah, it's the same issue. On the plus side, they don't link to the same article (unless you count the fact that this one links to an article that links to the article from the old one)

No Problem

[Mostly a lurker (634878)]

"... If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."

Will not effect me: I have a notoriously bad memory for passwords.

NoScript

[grub (11606)]

NoScript [noscript.net]
Repeat ad nauseum.

Re:

[Aladrin (926209)]

No joke, right? I forget the exact vulnerability that recently made me install NoScript, but there's been enough cross-site scripting, ajax, and stored-password exploits recently to make anyone paranoid.

Re:NoScript

[Bacon Bits (926911)]

NoScript is a horrible fix for this, because NoScript and the password manager use the same method to determine what is safe: the domain name of the server.

If I go to, say, Blogspot.com with FF and I'm a member, I probably log in and save my password with FF. If I have NoScript and I visit the page frequently and post lots of comments, I also probably have blogspot.com on the trusted site list. If I go to a malicious blog (well, alright, a blog that exploits this vulnerability -- they're all malicious) then a) I'll be on a site that the password manager trusts and I'll be on a site that NoScript trusts.

Passwords in general

[the.nourse.god (972290)]

<sarcasm>And this is why I save all of my passwords in IE</sarcasm>

This is why we need something better that text passwords for authentication on the web. Most people can't remember all the passwords they use on every site they go to. To cope with this, Average Users do either one of two things - use the password remembering method in their browser of choice or use the same (weak) password for everything. Granted, there are some decent password management utilities out there, but your Average User would rather use a tool they already have.

Again?

[HouseArrest420 (1105077)]

How is this news again? If you have enough knowledge to post a slashdot article, its certainly not your first time here, and one would hope you saw the SAME issue from 3-6 days ago.

Stealing passwords? Hardly...

[goldspider (445116)]

This isn't theft, it's liberation! Information (including passwords) wants to be free!

NoScript

[Junior J. Junior III (192702)]

On the subject of Jasascript-enabled security holes, I use Javascript because so many sites depend on it, but block all scripts using NoScript until I decide to trust the domain of origin of the script. What I'd really like is a NoScript that will let me look at the script's source code before I decide to trust it, and allow/deny scripts on a per-script rather than per-domain basis.

That said, is there a good Add-on for Firefox that handles password-management more securely? Something that keeps them store

An extension to help you...

[Aleksej (1110877)]

Secure Login [mozilla.org]

Not so critical

[Klaidas (981300)]

Sure, it's a big issue, yet how many peope actually use the "remember my password" feature? I just usually check the "remember me" box near the login and password entering fields, or enter my passwords manually.

Is it Firefox specific?

[140Mandak262Jamuna (970587)]

From what I understand, the user visits a site and the browser dishes out the remembered username password to that site. Whenever that site requests the username and password, the browser would do so. If the site allows anyvisitor to post javascript code and it incorporates such posted code as part of its own page, then the user too can use javascript to request the username/password and use javascript to phone home.

Now why any of it is Firefox specific? Any browser/ browser-helper-object /password help toolbar would do the same. If you have only one user name for a site, firefox will pre-fill the field. And the javascript can read it without a get or post. I would guess this behaviour of prefilling when the username is unique is probably a Firefox thing.

Generally sites that allow users to post javascript code would be dangerous and should not be visited. But I would not know a priori these sites.

Safari

[ens0niq (883308)]

Safari also vulnerable... [marc.info]

Re:Safari

[pherthyl (445706)]

Interestingly enough, Konqueror/KHTML (on which Safari is based) is not vulnerable (just tried the demo). It does password saving as well, but apparently have found a way to avoid the problem.

Re:Password Remember Function

[SatanicPuppy (611928)]

Eh. Depends on what passwords you set it to remember. There are a ton of BS passwords that I don't give a damn if someone steals.

Like anywhere else, you need to make a trade off between usability and security. Sure, it's not perfectly secure, but it's not worth it to me to have to remember the one off junk password I made up for NYTimes.com.

The real issue, as usual, is javascript. I use "NoScript" and am careful about which sites I allow to execute scripts at all. That will do more for your security than anything else.

Low security passwords

[benhocking (724439)]

Eh. Depends on what passwords you set it to remember. There are a ton of BS passwords that I don't give a damn if someone steals.

Absolutely. My Slashdot password, for example, is one that I allow Firefox to remember. Er, not that I'm claiming Slashdot is BS or anything. ;)

Re:

[bahwi (43111)]

Meh, if someone has access to my computer physically anyways they can get all my passwords by installing a keylogger anyways. The vulnerability only affects the sites that let people post custom html/javascript. Those sites are just social sites like myspace and other stuff and who cares if someone gets your password for that.

Re:Password Remember Function

[eck011219 (851729)]

There are a couple issues here. First of all ...

Those sites are just social sites like myspace and other stuff and who cares if someone gets your password for that.

You'd probably begin to care after someone "hacks" your MySpace page and posts distasteful or illegal language or images. Explaining all of that to a police officer or a judge and jury is rife with peril.

But the other point I think is pertinent here is that Firefox is really going for the common man crowd -- you don't buy a full-page ad in the New York Times if you want only geeks. So knowing that the average joe will be using Firefox and will happily save sensitive information if encouraged to do so (as one is with Firefox), that particular feature really has to be pretty rock-solid (or at the very least, not vulnerable to a pretty basic and classic javascript exploit).

Don't get me wrong -- I love Firefox and use it almost exclusively. But this is the kind of thing that, whether truly a hazard to most users or not, can scare people away if it is carelessly presented to the public. Or if it really is a risk.

Re:Password Remember Function

[Tridus (79566)]

I knew Post It Notes were more secure!

Re:Password Remember Function

[DigitAl56K (805623)]

Who modded the parent post "Insightful", and why? It is a one line blanket statement cast against millions of people without discussion or foundation. I hope someone takes away your mod points.

If you use many websites that require you to log in you don't have many options. You could use one password for all of them, in which case a breach on one account by an attacker essentially breaches all other accounts that they discover, or you can use unique passwords on each site, in which case it soon becomes impossible to remember them all accurately - especially for sites that you don't use very often. Additionally, some sites have rules around the number of upper case characters, special characters, digits, etc. in passwords, and these can be particularly difficult to remember.

Certainly people are foolish if they store logins for bank accounts and the like in the password manager, but most people only have one or two really important logins.

People who use the remember passwords functions are not idiots. People who expect the "remember passwords" functionality to be secure are not idiots either - if an application used by millions includes such functionality one would expect the developers to have secured it.

Re:

[LoverOfJoy (820058)]

Why must every decision either be the best, most secure, or one made by an idiot? Aren't there decisions that may not be the ideal or may have some downsides to that aren't made by idiots?

Or Firefox for that matter

[benhocking (724439)]

<satire>All the truly intelligent people use Lynx.</satire>

Wimp

[missing000 (602285)]

Real men use telnet for every IP session.

Re:Wimp

[dattaway (3088)]

telnet is for weenies.

netcat is for men.

Re:Wimp

[by Anonymous Coward]

i just attach the cables to my nipples and decode the packets manually.

Re:Wimp

[rleibman (622895)]

i just attach the cables to my nipples and decode the packets manually.

Yeah, but can you generate outbound traffic?

Re:

[LordEd (840443)]

Outbound traffic is sent back on a different port.

Re:Do not save passwords

[Mascot (120795)]

That's what the "Master Password" option is for.

Use a master password

        Firefox can protect sensitive information such as saved passwords
        and certificates by encrypting them using a master password. If you create a
        master password, each time you start Firefox, it will ask you to enter
        the password the first time it needs to access a certificate or stored
        password.

Re:Do not save passwords

[strobert (79836)]

In addition if you run with Noscript and Secure Login it really helps protect you. The former can let you disable javascript (and java/flash too) by default and only enable for sites you trust. The later makes it so that for remembered passwords firefox does not fill in the form. Instead it highlights the fields it would fill in and you have to hit the secure login button to post the form data. Makes it so that you know when you saved passwords are being used and bypasses the input flow so that keyloggers can't even record the data.

I would also recommend installing "Master Password Timeout" which will re-prompt you periodically for the password.

Re:

[LordKronos (470910)]

Did I detect a hint of sarcasm? Well then let me explain it for you.

Suppose you signup for online banking and setup a password. Then you signup for some stupid website and use the same password. The problem is, you don't know if you can trust that 2nd site with your online banking password. They may just be phishing for passwords. Or maybe they are honest but incompetent enough to store your password in the DB in plain text, conveniently waiting there for the next hacker to locate.

The solution: Use separate

Re:Do not save passwords

[dvice_null (981029)]

Passwords are not in plain text, but readable with Firefox.

You can set master password to truely encrypt them. But if you let people to access your harddrive, you can install keyloggers to steal the master password also. Or any password, no matter do you save it or not.

Re:

[by Anonymous Coward]

It stores the password in plane text (at least it used to) for anyone with physical access to see if they know where to look (and it's not hard to figure out where to look). I have stolen many a passwords this way. It is worse than writing your password down and putting it in your desk.

Even worse, because it uses plane text, you are helping the terrorists, who can now hijack your passwords and fly them into skyscrapers!

Please Help!!

[The Real Normal Dan (1131885)]

Very funny you jerk! You steal my password, then mock me on my slashdot account! Is there an admin around? -The Real Normal Dan

FUD

[jrumney (197329)]

Firefox's password file has never been in plain text, although if you don't specify a master password, the decryption key is stored in the same directory, so the encryption will only stop casual opportunists.

Re:

[suv4x4 (956391)]

It stores the password in plane text

Shit, that's totally insecure! Way to go, Mozilla! [nationalskyads.com]

Re:Do not save passwords

[eln (21727)]

Pretty much all text is plane text. Unless it's 3 dimensional I guess.

Re:

[BlueParrot (965239)]

link?

Re:

[Vexorian (959249)]

It also means that bugs get fixed faster and that if mozilla stops supporting a platform someone else can, and that we can have things like swiftfox available, so I think it is a good trade.

But security through obscurity doesn't really work too well anyways...