Password Vulnerability In Firefox 2.0.0.5 176
Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."
Dupe? (Score:5, Informative)
Re:Is this OS independent? (Score:5, Informative)
NoScript (Score:5, Informative)
Repeat ad nauseum.
Re:Is this OS independent? (Score:5, Informative)
This does not expose all your passwords, so if you have you bank password stored, it's safe, unless your bank has pages that allow users to post custom html and javascript.
Re:Do not save passwords (Score:4, Informative)
You can set master password to truely encrypt them. But if you let people to access your harddrive, you can install keyloggers to steal the master password also. Or any password, no matter do you save it or not.
Dupe? Of course! (Score:2, Informative)
FUD (Score:5, Informative)
Firefox only? (Score:1, Informative)
An extension to help you... (Score:2, Informative)
Is it Firefox specific? (Score:4, Informative)
Now why any of it is Firefox specific? Any browser/ browser-helper-object /password help toolbar would do the same. If you have only one user name for a site, firefox will pre-fill the field. And the javascript can read it without a get or post. I would guess this behaviour of prefilling when the username is unique is probably a Firefox thing.
Generally sites that allow users to post javascript code would be dangerous and should not be visited. But I would not know a priori these sites.
Re:Do not save passwords (Score:5, Informative)
I would also recommend installing "Master Password Timeout" which will re-prompt you periodically for the password.
Re:Is this OS independent? (Score:2, Informative)
Note that the master password on it's own still is not secure because you only need to type it in once until you restart your browser but combined with the add-on Master Password Timeout you are relatively safe. Just don't browse dodgy websites minutes after logging in.
Re:Is this OS independent? (Score:5, Informative)
Well this story kind of points out why obviously, this statement isn't necessarily true.
Re:Is this OS independent? (Score:3, Informative)
In Rapidweather Remaster of Knoppix Linux [geocities.com], my livecd linux distro, I always set up Firefox _not_ to remember passwords.
I put Firefox 2.0.0.5 in the Remaster [blogspot.com] just last week.
Also, when the user closes Firefox, I have it set up so the entire ~/.mozilla is deleted. I presume that is where any password would reside. In the event of a Firefox crash, the ~/.mozilla is not deleted without an OK from the user. There is a dialog box that comes up and asks "Did you want to close Firefox?".
So, even though I do have Javascript enabled, I would assume from the discussion that the current, "in-use" password is safe. Usually, when I do online banking, I follow the recommendation to "close the browser", and with the above setup where ~/.mozilla is deleted, I should be safe.
Rapidweather
Oh really? (Score:4, Informative)