Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Mozilla The Internet Security

Password Vulnerability In Firefox 2.0.0.5 176

Posted by CmdrTaco from the waiting-for-the-patch-boys dept.
Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."
This discussion has been archived. No new comments can be posted.

Password Vulnerability In Firefox 2.0.0.5 More

Password Vulnerability In Firefox 2.0.0.5

Comments Filter:

  • Do not save passwords (Score:1, Insightful)

    by Normal Dan ( 1053064 ) on Monday July 23, 2007 @11:24AM (#19956591)
    I never liked firefox's save password ability. It stores the password in plane text (at least it used to) for anyone with physical access to see if they know where to look (and it's not hard to figure out where to look). I have stolen many a passwords this way. It is worse than writing your password down and putting it in your desk.

  • Re:Password Remember Function (Score:5, Insightful)

    by SatanicPuppy ( 611928 ) * <SatanicpuppyNO@SPAMgmail.com> on Monday July 23, 2007 @11:26AM (#19956613) Journal
    Eh. Depends on what passwords you set it to remember. There are a ton of BS passwords that I don't give a damn if someone steals.

    Like anywhere else, you need to make a trade off between usability and security. Sure, it's not perfectly secure, but it's not worth it to me to have to remember the one off junk password I made up for NYTimes.com.

    The real issue, as usual, is javascript. I use "NoScript" and am careful about which sites I allow to execute scripts at all. That will do more for your security than anything else.

  • Re:Do not save passwords (Score:5, Insightful)

    by Mascot ( 120795 ) on Monday July 23, 2007 @11:35AM (#19956743)
    That's what the "Master Password" option is for.

    Use a master password

            Firefox can protect sensitive information such as saved passwords
            and certificates by encrypting them using a master password. If you create a
            master password, each time you start Firefox, it will ask you to enter
            the password the first time it needs to access a certificate or stored
            password.

  • Passwords in general (Score:5, Insightful)

    by the.nourse.god ( 972290 ) on Monday July 23, 2007 @11:36AM (#19956761) Homepage
    <sarcasm>And this is why I save all of my passwords in IE</sarcasm>

    This is why we need something better that text passwords for authentication on the web. Most people can't remember all the passwords they use on every site they go to. To cope with this, Average Users do either one of two things - use the password remembering method in their browser of choice or use the same (weak) password for everything. Granted, there are some decent password management utilities out there, but your Average User would rather use a tool they already have.

  • Not as bad as you think. (Score:1, Insightful)

    by Anonymous Coward on Monday July 23, 2007 @11:40AM (#19956829)
    It's not possible for websites to steal saved passwords from other websites; it's only possible to steal a password if Firefox auto-fills a password field, and obviously this only occurs if you're on website you saved the password for in the first place.

    Reading my list of saved passwords; my company intranet sites aren't vulnerable, my bank website isn't vulnerable, my shopping sites aren't vulnerable. All that is vulnerable are forum websites, and that's only if someone finds a way to inject Javascript, which is normally stripped out by all of them.

    I don't think it's possible to avoid this without serious hijinks to the DOM; it has always been possible to inspect the current contents of form inputs, including password inputs.

  • Again? (Score:2, Insightful)

    by HouseArrest420 ( 1105077 ) on Monday July 23, 2007 @11:45AM (#19956905)
    How is this news again? If you have enough knowledge to post a slashdot article, its certainly not your first time here, and one would hope you saw the SAME issue from 3-6 days ago.

  • Re:Password Remember Function (Score:5, Insightful)

    by DigitAl56K ( 805623 ) on Monday July 23, 2007 @11:52AM (#19957031)
    Who modded the parent post "Insightful", and why? It is a one line blanket statement cast against millions of people without discussion or foundation. I hope someone takes away your mod points.

    If you use many websites that require you to log in you don't have many options. You could use one password for all of them, in which case a breach on one account by an attacker essentially breaches all other accounts that they discover, or you can use unique passwords on each site, in which case it soon becomes impossible to remember them all accurately - especially for sites that you don't use very often. Additionally, some sites have rules around the number of upper case characters, special characters, digits, etc. in passwords, and these can be particularly difficult to remember.

    Certainly people are foolish if they store logins for bank accounts and the like in the password manager, but most people only have one or two really important logins.

    People who use the remember passwords functions are not idiots. People who expect the "remember passwords" functionality to be secure are not idiots either - if an application used by millions includes such functionality one would expect the developers to have secured it.

  • Re:Is this OS independent? (Score:3, Insightful)

    by slagell ( 959298 ) on Monday July 23, 2007 @11:57AM (#19957101) Homepage
    Or unless you use the same password for myspace and a bunch of other places

  • Re:Password Remember Function (Score:5, Insightful)

    by eck011219 ( 851729 ) on Monday July 23, 2007 @12:02PM (#19957183)
    There are a couple issues here. First of all ...

    Those sites are just social sites like myspace and other stuff and who cares if someone gets your password for that.

    You'd probably begin to care after someone "hacks" your MySpace page and posts distasteful or illegal language or images. Explaining all of that to a police officer or a judge and jury is rife with peril.

    But the other point I think is pertinent here is that Firefox is really going for the common man crowd -- you don't buy a full-page ad in the New York Times if you want only geeks. So knowing that the average joe will be using Firefox and will happily save sensitive information if encouraged to do so (as one is with Firefox), that particular feature really has to be pretty rock-solid (or at the very least, not vulnerable to a pretty basic and classic javascript exploit).

    Don't get me wrong -- I love Firefox and use it almost exclusively. But this is the kind of thing that, whether truly a hazard to most users or not, can scare people away if it is carelessly presented to the public. Or if it really is a risk.

  • Re:Password Remember Function (Score:2, Insightful)

    by Anonymous Coward on Monday July 23, 2007 @12:07PM (#19957267)
    Why do idiots still spread the FUD that it is bad or a "security threat" to use their credit card online? You are perfectly safe. If someone does steal and use your number you are only responsible for the first $50, and every bank I've ever dealt with if waive that. Idiots like you are the reason it took me so long to convince my mom not use use PERSONAL CHECKS an eBay. Because of the FUD about credit cards, I had a hard time explaining to her that they were MUCH safer than checks! You are MORE vulnerable using your credit card in a "real" store than online.

  • Re:I love FireFox BUT... (Score:3, Insightful)

    by Vexorian ( 959249 ) on Monday July 23, 2007 @12:12PM (#19957349)

    It also means that bugs get fixed faster and that if mozilla stops supporting a platform someone else can, and that we can have things like swiftfox available, so I think it is a good trade.

    But security through obscurity doesn't really work too well anyways...

  • Re:I love FireFox BUT... (Score:2, Insightful)

    by IBBoard ( 1128019 ) on Monday July 23, 2007 @12:18PM (#19957459) Homepage
    Possibly, but how many bugs have been exploited in Firefox because of being able to view the source code and how many would have been picked up by a closed-source 'fuzzing' anyway?

    This one was a "how the browser works" based on visible behaviour, so it would have been found in a closed-source app as well.

  • Re:NoScript (Score:5, Insightful)

    by Bacon Bits ( 926911 ) on Monday July 23, 2007 @12:35PM (#19957767)
    NoScript is a horrible fix for this, because NoScript and the password manager use the same method to determine what is safe: the domain name of the server.

    If I go to, say, Blogspot.com with FF and I'm a member, I probably log in and save my password with FF. If I have NoScript and I visit the page frequently and post lots of comments, I also probably have blogspot.com on the trusted site list. If I go to a malicious blog (well, alright, a blog that exploits this vulnerability -- they're all malicious) then a) I'll be on a site that the password manager trusts and I'll be on a site that NoScript trusts.

  • Re:Password Remember Function (Score:3, Insightful)

    by LoverOfJoy ( 820058 ) on Monday July 23, 2007 @01:40PM (#19958657) Homepage
    Why must every decision either be the best, most secure, or one made by an idiot? Aren't there decisions that may not be the ideal or may have some downsides to that aren't made by idiots?

  • Re:Is this OS independent? (Score:2, Insightful)

    by xsadar ( 627057 ) on Monday July 23, 2007 @01:59PM (#19958929)

    This does not expose all your passwords, so if you have you bank password stored, it's safe . . .
    It may be safe from this particular vulnerability, but I would never consider a stored password to be safe.

  • Re:Do not save passwords (Score:3, Insightful)

    by LordKronos ( 470910 ) on Monday July 23, 2007 @03:12PM (#19959965)
    Did I detect a hint of sarcasm? Well then let me explain it for you.

    Suppose you signup for online banking and setup a password. Then you signup for some stupid website and use the same password. The problem is, you don't know if you can trust that 2nd site with your online banking password. They may just be phishing for passwords. Or maybe they are honest but incompetent enough to store your password in the DB in plain text, conveniently waiting there for the next hacker to locate.

    The solution: Use separate passwords for the 2 sites? But then how do you start partitioning things? Do all the banking sites get the same password, your email a different password, you photo website a separate password, etc? Can you even trust all banks to have the same password? Perhaps it would be safer to use a different password for each one.

    By now you are looking at dozens of different passwords. Trouble is...how do you remember them all? Write them all down? Thats a big no-no. However, what if you put them in a text file and then encrypted the file? Now you only have to remember 1 thing...the decryption key, and that NEVER has to be given to anyone.

    But no, I guess sarcastic mocking is funner, isn't it?

Slashdot Top Deals

"Money is the root of all money." -- the moving finger

Close