Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Mozilla The Internet Security

Password Vulnerability In Firefox 2.0.0.5 176

Posted by CmdrTaco from the waiting-for-the-patch-boys dept.
Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."
This discussion has been archived. No new comments can be posted.

Password Vulnerability In Firefox 2.0.0.5 More

Password Vulnerability In Firefox 2.0.0.5

Comments Filter:

  • Dupe? (Score:5, Informative)

    by InvisblePinkUnicorn ( 1126837 ) on Monday July 23, 2007 @11:21AM (#19956549)
    Three days ago: http://it.slashdot.org/article.pl?sid=07/07/20/125 2215 [slashdot.org]

  • Re:Is this OS independent? (Score:5, Informative)

    by Compholio ( 770966 ) on Monday July 23, 2007 @11:24AM (#19956581)

    I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?
    I can confirm that it works on Linux.

  • NoScript (Score:5, Informative)

    by grub ( 11606 ) <slashdot@grub.net> on Monday July 23, 2007 @11:34AM (#19956733) Homepage Journal
    NoScript [noscript.net]
    Repeat ad nauseum.

  • Re:Is this OS independent? (Score:5, Informative)

    by Mr. Sketch ( 111112 ) <<moc.liamg> <ta> <hcteks.retsim>> on Monday July 23, 2007 @11:35AM (#19956737)
    From what I read, yes. It only exposes passwords for the site you're visiting. The most common case of this is on myspace, where visiting a malicious website will transfer your myspace username/password to the website owner. This vulnerability exists on sites that allow users to post custom html and javascript and will expose your username and password for that site.

    This does not expose all your passwords, so if you have you bank password stored, it's safe, unless your bank has pages that allow users to post custom html and javascript.

  • Re:Do not save passwords (Score:4, Informative)

    by dvice_null ( 981029 ) on Monday July 23, 2007 @11:37AM (#19956771)
    Passwords are not in plain text, but readable with Firefox.

    You can set master password to truely encrypt them. But if you let people to access your harddrive, you can install keyloggers to steal the master password also. Or any password, no matter do you save it or not.

  • Dupe? Of course! (Score:2, Informative)

    by IBBoard ( 1128019 ) on Monday July 23, 2007 @11:39AM (#19956821) Homepage
    Yeah, it's the same issue. On the plus side, they don't link to the same article (unless you count the fact that this one links to an article that links to the article from the old one)

  • FUD (Score:5, Informative)

    by jrumney ( 197329 ) on Monday July 23, 2007 @11:46AM (#19956937)
    Firefox's password file has never been in plain text, although if you don't specify a master password, the decryption key is stored in the same directory, so the encryption will only stop casual opportunists.

  • Firefox only? (Score:1, Informative)

    by IBBoard ( 1128019 ) on Monday July 23, 2007 @11:50AM (#19957009) Homepage
    Is Firefox really that insecure for this compared to the others? Yes, it auto-fills it but then any site that lets other people add Javascript to a page is vulnerable in an almost identical way. The main part of the script (on a timer to allow for auto-population) is:

    function doit()
    {
      name = document.passtest.name.value;
      password = document.passtest.password.value;
      alert("Your username is: " + name + " and the password is: " + password);
    }
    All you need is to know the form on the page, subscribe to the submit event and snag the password contents for yourself and you've busted any browser wide open (as long as it lets you enter usernames and passwords) without the need to exploit password saving. You could even potentially listen for Ctrl+Enter key combos in Opera, although catching the use of the wand might be more difficult.

  • An extension to help you... (Score:2, Informative)

    by Aleksej ( 1110877 ) on Monday July 23, 2007 @11:58AM (#19957119)
    Secure Login [mozilla.org]

  • Is it Firefox specific? (Score:4, Informative)

    by 140Mandak262Jamuna ( 970587 ) on Monday July 23, 2007 @12:03PM (#19957197) Journal
    From what I understand, the user visits a site and the browser dishes out the remembered username password to that site. Whenever that site requests the username and password, the browser would do so. If the site allows anyvisitor to post javascript code and it incorporates such posted code as part of its own page, then the user too can use javascript to request the username/password and use javascript to phone home.

    Now why any of it is Firefox specific? Any browser/ browser-helper-object /password help toolbar would do the same. If you have only one user name for a site, firefox will pre-fill the field. And the javascript can read it without a get or post. I would guess this behaviour of prefilling when the username is unique is probably a Firefox thing.

    Generally sites that allow users to post javascript code would be dangerous and should not be visited. But I would not know a priori these sites.

  • Re:Do not save passwords (Score:5, Informative)

    by strobert ( 79836 ) on Monday July 23, 2007 @12:05PM (#19957219) Homepage
    In addition if you run with Noscript and Secure Login it really helps protect you. The former can let you disable javascript (and java/flash too) by default and only enable for sites you trust. The later makes it so that for remembered passwords firefox does not fill in the form. Instead it highlights the fields it would fill in and you have to hit the secure login button to post the form data. Makes it so that you know when you saved passwords are being used and bypasses the input flow so that keyloggers can't even record the data.

    I would also recommend installing "Master Password Timeout" which will re-prompt you periodically for the password.

  • Re:Is this OS independent? (Score:2, Informative)

    by Simon Donkers ( 950228 ) <info@NOSPaM.simondonkers.com> on Monday July 23, 2007 @12:12PM (#19957343) Homepage
    I have enabled the master password and the proof of concept fails. It launches a window asking me for my master password before filling in any passwords.

    Note that the master password on it's own still is not secure because you only need to type it in once until you restart your browser but combined with the add-on Master Password Timeout you are relatively safe. Just don't browse dodgy websites minutes after logging in.

  • Re:Is this OS independent? (Score:5, Informative)

    by snowgirl ( 978879 ) on Monday July 23, 2007 @01:11PM (#19958237) Journal

    Actually you're safe if you use a master password with your password manager.


    Well this story kind of points out why obviously, this statement isn't necessarily true.

  • Re:Is this OS independent? (Score:3, Informative)

    by rapidweather ( 567364 ) on Monday July 23, 2007 @05:31PM (#19961937) Homepage
    ..and allow Firefox to remember your passwords..


    In Rapidweather Remaster of Knoppix Linux [geocities.com], my livecd linux distro, I always set up Firefox _not_ to remember passwords.
    I put Firefox 2.0.0.5 in the Remaster [blogspot.com] just last week.
    Also, when the user closes Firefox, I have it set up so the entire ~/.mozilla is deleted. I presume that is where any password would reside. In the event of a Firefox crash, the ~/.mozilla is not deleted without an OK from the user. There is a dialog box that comes up and asks "Did you want to close Firefox?".
    So, even though I do have Javascript enabled, I would assume from the discussion that the current, "in-use" password is safe. Usually, when I do online banking, I follow the recommendation to "close the browser", and with the above setup where ~/.mozilla is deleted, I should be safe.

    Rapidweather

  • Oh really? (Score:4, Informative)

    by jgoemat ( 565882 ) on Monday July 23, 2007 @07:02PM (#19963005)
    How are you safe?
    1. Open browser
    2. Click on MySpace bookmark
    3. Enter master password to login to myspace
    4. Visit joebob's page, which has javascript to steal your password
    5. pwn3d
    If you're on the site with the vulnerability, you probably already entered your master password to login, and you only have to do that once per session to use all of your passwords.

Slashdot Top Deals

Work without a vision is slavery, Vision without work is a pipe dream, But vision with work is the hope of the world.

Close