Password Vulnerability In Firefox 2.0.0.5 176
Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."
Do not save passwords (Score:1, Insightful)
Re:Password Remember Function (Score:5, Insightful)
Like anywhere else, you need to make a trade off between usability and security. Sure, it's not perfectly secure, but it's not worth it to me to have to remember the one off junk password I made up for NYTimes.com.
The real issue, as usual, is javascript. I use "NoScript" and am careful about which sites I allow to execute scripts at all. That will do more for your security than anything else.
Re:Do not save passwords (Score:5, Insightful)
Passwords in general (Score:5, Insightful)
This is why we need something better that text passwords for authentication on the web. Most people can't remember all the passwords they use on every site they go to. To cope with this, Average Users do either one of two things - use the password remembering method in their browser of choice or use the same (weak) password for everything. Granted, there are some decent password management utilities out there, but your Average User would rather use a tool they already have.
Not as bad as you think. (Score:1, Insightful)
Reading my list of saved passwords; my company intranet sites aren't vulnerable, my bank website isn't vulnerable, my shopping sites aren't vulnerable. All that is vulnerable are forum websites, and that's only if someone finds a way to inject Javascript, which is normally stripped out by all of them.
I don't think it's possible to avoid this without serious hijinks to the DOM; it has always been possible to inspect the current contents of form inputs, including password inputs.
Again? (Score:2, Insightful)
Re:Password Remember Function (Score:5, Insightful)
If you use many websites that require you to log in you don't have many options. You could use one password for all of them, in which case a breach on one account by an attacker essentially breaches all other accounts that they discover, or you can use unique passwords on each site, in which case it soon becomes impossible to remember them all accurately - especially for sites that you don't use very often. Additionally, some sites have rules around the number of upper case characters, special characters, digits, etc. in passwords, and these can be particularly difficult to remember.
Certainly people are foolish if they store logins for bank accounts and the like in the password manager, but most people only have one or two really important logins.
People who use the remember passwords functions are not idiots. People who expect the "remember passwords" functionality to be secure are not idiots either - if an application used by millions includes such functionality one would expect the developers to have secured it.
Re:Is this OS independent? (Score:3, Insightful)
Re:Password Remember Function (Score:5, Insightful)
You'd probably begin to care after someone "hacks" your MySpace page and posts distasteful or illegal language or images. Explaining all of that to a police officer or a judge and jury is rife with peril.
But the other point I think is pertinent here is that Firefox is really going for the common man crowd -- you don't buy a full-page ad in the New York Times if you want only geeks. So knowing that the average joe will be using Firefox and will happily save sensitive information if encouraged to do so (as one is with Firefox), that particular feature really has to be pretty rock-solid (or at the very least, not vulnerable to a pretty basic and classic javascript exploit).
Don't get me wrong -- I love Firefox and use it almost exclusively. But this is the kind of thing that, whether truly a hazard to most users or not, can scare people away if it is carelessly presented to the public. Or if it really is a risk.
Re:Password Remember Function (Score:2, Insightful)
Re:I love FireFox BUT... (Score:3, Insightful)
It also means that bugs get fixed faster and that if mozilla stops supporting a platform someone else can, and that we can have things like swiftfox available, so I think it is a good trade.
But security through obscurity doesn't really work too well anyways...
Re:I love FireFox BUT... (Score:2, Insightful)
This one was a "how the browser works" based on visible behaviour, so it would have been found in a closed-source app as well.
Re:NoScript (Score:5, Insightful)
If I go to, say, Blogspot.com with FF and I'm a member, I probably log in and save my password with FF. If I have NoScript and I visit the page frequently and post lots of comments, I also probably have blogspot.com on the trusted site list. If I go to a malicious blog (well, alright, a blog that exploits this vulnerability -- they're all malicious) then a) I'll be on a site that the password manager trusts and I'll be on a site that NoScript trusts.
Re:Password Remember Function (Score:3, Insightful)
Re:Is this OS independent? (Score:2, Insightful)
Re:Do not save passwords (Score:3, Insightful)
Suppose you signup for online banking and setup a password. Then you signup for some stupid website and use the same password. The problem is, you don't know if you can trust that 2nd site with your online banking password. They may just be phishing for passwords. Or maybe they are honest but incompetent enough to store your password in the DB in plain text, conveniently waiting there for the next hacker to locate.
The solution: Use separate passwords for the 2 sites? But then how do you start partitioning things? Do all the banking sites get the same password, your email a different password, you photo website a separate password, etc? Can you even trust all banks to have the same password? Perhaps it would be safer to use a different password for each one.
By now you are looking at dozens of different passwords. Trouble is...how do you remember them all? Write them all down? Thats a big no-no. However, what if you put them in a text file and then encrypted the file? Now you only have to remember 1 thing...the decryption key, and that NEVER has to be given to anyone.
But no, I guess sarcastic mocking is funner, isn't it?