Forgot your password?
typodupeerror
Mozilla The Internet Security

Password Vulnerability In Firefox 2.0.0.5 176

Posted by CmdrTaco
from the waiting-for-the-patch-boys dept.
Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."
This discussion has been archived. No new comments can be posted.

Password Vulnerability In Firefox 2.0.0.5

Comments Filter:
  • by sexybomber (740588) <boccilino@NOSpam.gmail.com> on Monday July 23, 2007 @11:20AM (#19956533)
    I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?
    • by Compholio (770966) on Monday July 23, 2007 @11:24AM (#19956581)

      I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?
      I can confirm that it works on Linux.
    • by Mr. Sketch (111112) <mister.sketch@gmai[ ]om ['l.c' in gap]> on Monday July 23, 2007 @11:35AM (#19956737)
      From what I read, yes. It only exposes passwords for the site you're visiting. The most common case of this is on myspace, where visiting a malicious website will transfer your myspace username/password to the website owner. This vulnerability exists on sites that allow users to post custom html and javascript and will expose your username and password for that site.

      This does not expose all your passwords, so if you have you bank password stored, it's safe, unless your bank has pages that allow users to post custom html and javascript.
      • Re: (Score:3, Insightful)

        by slagell (959298)
        Or unless you use the same password for myspace and a bunch of other places
      • by snowgirl (978879)
        You know... this is one reason why I don't store ANY of my passwords for webpages anywhere but my head.

        Granted my IMs all store my password, because I want them to log in automatically, but I just simply do not trust a webbrowser to keep any of my passwords.
        • by dougmc (70836)

          You know... this is one reason why I don't store ANY of my passwords for webpages anywhere but my head.

          ... which probably means that your your webpage passwords are probably all the same, or many are the same, or you just don't use many web sites that make you log in. Or you have superhuman memory, of course.

          Which is worse? Keeping the same password everywhere, or risking that there might be a hole in your browser at some point? (Or that somebody might hack into your box and copy the entire password file.) I'll have to say the first.

          Still, keeping your bank password (and other passwords that rea

      • Re: (Score:2, Insightful)

        by xsadar (627057)

        This does not expose all your passwords, so if you have you bank password stored, it's safe . . .
        It may be safe from this particular vulnerability, but I would never consider a stored password to be safe.
      • Re: (Score:3, Informative)

        by rapidweather (567364)
        ..and allow Firefox to remember your passwords..

        In Rapidweather Remaster of Knoppix Linux [geocities.com], my livecd linux distro, I always set up Firefox _not_ to remember passwords.
        I put Firefox 2.0.0.5 in the Remaster [blogspot.com] just last week.
        Also, when the user closes Firefox, I have it set up so the entire ~/.mozilla is deleted. I presume that is where any password would reside. In the event of a Firefox crash, the ~/.mozilla is not deleted without an OK from the user. There is a dialog box that comes up and asks "Did you want

    • Re: (Score:2, Informative)

      by Simon Donkers (950228)
      I have enabled the master password and the proof of concept fails. It launches a window asking me for my master password before filling in any passwords.

      Note that the master password on it's own still is not secure because you only need to type it in once until you restart your browser but combined with the add-on Master Password Timeout you are relatively safe. Just don't browse dodgy websites minutes after logging in.
  • Dupe? (Score:5, Informative)

    by InvisblePinkUnicorn (1126837) on Monday July 23, 2007 @11:21AM (#19956549)
    • by the.WZA (769248)
      Yes. It's a dupe.
    • Dupe? Of course! (Score:2, Informative)

      by IBBoard (1128019)
      Yeah, it's the same issue. On the plus side, they don't link to the same article (unless you count the fact that this one links to an article that links to the article from the old one)
    • by denttford (579202)
      Yeah, the title seems to indicate that there is a vulnerability with specific to the new FF release, but no. Same story.

      Same solution (for FF) - which I got from a post in the previous story (thank you): Secure Login [mozilla.org].
    • Ohmygod. Dupes belong to the culture of Slashdot, they are the cherry on the cake for all the people who don't get a message at the first time, or who make a living pointing out dupes on /.

      For what it's worth, messages with a subject ~ "*[Dd]upe*\!" are the most common dupes, and should be avoided at all cost.

      We should stop pointing out dupes and start slashing non-dupes. That would reduce the traffic by at least 24.3% and would allow /. to postpone the next harddisk purchase by a month or two, or one c

  • I never liked firefox's save password ability. It stores the password in plane text (at least it used to) for anyone with physical access to see if they know where to look (and it's not hard to figure out where to look). I have stolen many a passwords this way. It is worse than writing your password down and putting it in your desk.
    • by Mascot (120795) on Monday July 23, 2007 @11:35AM (#19956743)
      That's what the "Master Password" option is for.

      Use a master password

              Firefox can protect sensitive information such as saved passwords
              and certificates by encrypting them using a master password. If you create a
              master password, each time you start Firefox, it will ask you to enter
              the password the first time it needs to access a certificate or stored
              password.
      • by strobert (79836) on Monday July 23, 2007 @12:05PM (#19957219) Homepage
        In addition if you run with Noscript and Secure Login it really helps protect you. The former can let you disable javascript (and java/flash too) by default and only enable for sites you trust. The later makes it so that for remembered passwords firefox does not fill in the form. Instead it highlights the fields it would fill in and you have to hit the secure login button to post the form data. Makes it so that you know when you saved passwords are being used and bypasses the input flow so that keyloggers can't even record the data.

        I would also recommend installing "Master Password Timeout" which will re-prompt you periodically for the password.
    • by dvice_null (981029) on Monday July 23, 2007 @11:37AM (#19956771)
      Passwords are not in plain text, but readable with Firefox.

      You can set master password to truely encrypt them. But if you let people to access your harddrive, you can install keyloggers to steal the master password also. Or any password, no matter do you save it or not.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      It stores the password in plane text (at least it used to) for anyone with physical access to see if they know where to look (and it's not hard to figure out where to look). I have stolen many a passwords this way. It is worse than writing your password down and putting it in your desk.

      Even worse, because it uses plane text, you are helping the terrorists, who can now hijack your passwords and fly them into skyscrapers!

    • by The Real Normal Dan (1131885) on Monday July 23, 2007 @11:44AM (#19956889)
      Very funny you jerk! You steal my password, then mock me on my slashdot account! Is there an admin around? -The Real Normal Dan
    • FUD (Score:5, Informative)

      by jrumney (197329) on Monday July 23, 2007 @11:46AM (#19956937) Homepage
      Firefox's password file has never been in plain text, although if you don't specify a master password, the decryption key is stored in the same directory, so the encryption will only stop casual opportunists.
    • by suv4x4 (956391)
      It stores the password in plane text

      Shit, that's totally insecure! Way to go, Mozilla! [nationalskyads.com]
    • by eln (21727) * on Monday July 23, 2007 @12:38PM (#19957825) Homepage
      Pretty much all text is plane text. Unless it's 3 dimensional I guess.
    • It stores the password in plane text
      So your password is probably one of the entries here [xcski.com]
  • "... If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."
    Will not effect me: I have a notoriously bad memory for passwords.
  • NoScript (Score:5, Informative)

    by grub (11606) <slashdot@grub.net> on Monday July 23, 2007 @11:34AM (#19956733) Homepage Journal
    NoScript [noscript.net]
    Repeat ad nauseum.

    • by Aladrin (926209)
      No joke, right? I forget the exact vulnerability that recently made me install NoScript, but there's been enough cross-site scripting, ajax, and stored-password exploits recently to make anyone paranoid.
    • Re:NoScript (Score:5, Insightful)

      by Bacon Bits (926911) on Monday July 23, 2007 @12:35PM (#19957767)
      NoScript is a horrible fix for this, because NoScript and the password manager use the same method to determine what is safe: the domain name of the server.

      If I go to, say, Blogspot.com with FF and I'm a member, I probably log in and save my password with FF. If I have NoScript and I visit the page frequently and post lots of comments, I also probably have blogspot.com on the trusted site list. If I go to a malicious blog (well, alright, a blog that exploits this vulnerability -- they're all malicious) then a) I'll be on a site that the password manager trusts and I'll be on a site that NoScript trusts.
      • by Kingrames (858416)
        Then don't go to blogspot.com.
        If the website allows that kind of malicious behavior, then they need to change.
        • Yes, that's brilliant. I guess we don't need to worry about IE security flaws either, then? They have workarounds, too! Ah well, and /. has such fun railing MS for it, too.
  • by the.nourse.god (972290) on Monday July 23, 2007 @11:36AM (#19956761) Homepage
    <sarcasm>And this is why I save all of my passwords in IE</sarcasm>

    This is why we need something better that text passwords for authentication on the web. Most people can't remember all the passwords they use on every site they go to. To cope with this, Average Users do either one of two things - use the password remembering method in their browser of choice or use the same (weak) password for everything. Granted, there are some decent password management utilities out there, but your Average User would rather use a tool they already have.
    • by CBravo (35450)

      This is why we need something better that text passwords for authentication on the web.
      Well you could use a USB stick which emulates a keyboard that can insert username/password combinations. Or you could use standard encryption methods... (signing, etc).
    • God, I wish everyone would just switched over to OpenID and be done with it. One password for everything? Sign me up! (Well, I already have). Now I'm just waiting/hoping it'll gain critical mass and start being implemented into every site.
  • Again? (Score:2, Insightful)

    How is this news again? If you have enough knowledge to post a slashdot article, its certainly not your first time here, and one would hope you saw the SAME issue from 3-6 days ago.
  • by goldspider (445116) <ardrake79NO@SPAMgmail.com> on Monday July 23, 2007 @11:47AM (#19956955) Homepage
    This isn't theft, it's liberation! Information (including passwords) wants to be free!
    • by AndersOSU (873247)
      Not only that, but when they use the free passwords, it's not identity theft, it's identity infringement.
    • by jgoemat (565882)

      This isn't theft, it's liberation! Information (including passwords) wants to be free!

      I assume you are making a dig at the anti-copyright crowd. The distinction you fail to see is that copyrighted works are published, letting recipients know exactly what is in them. It is merely the monopoly on copying and creation of derivative works that is protected by law in order to give the public an incentive to create new works. Passwords are opposite in that they are kept secret for a good reason. Also they p

  • On the subject of Jasascript-enabled security holes, I use Javascript because so many sites depend on it, but block all scripts using NoScript until I decide to trust the domain of origin of the script. What I'd really like is a NoScript that will let me look at the script's source code before I decide to trust it, and allow/deny scripts on a per-script rather than per-domain basis.

    That said, is there a good Add-on for Firefox that handles password-management more securely? Something that keeps them store
  • Secure Login [mozilla.org]
    • by e_AltF4 (247712)
      Using it for some time and it seems to stop the vulnerability.

      Recommended if you are lazy (as i am) and allow FF to manage your passwords.
  • Sure, it's a big issue, yet how many peope actually use the "remember my password" feature? I just usually check the "remember me" box near the login and password entering fields, or enter my passwords manually.
    • by compro01 (777531)
      i use it at work, but all the sites i use it for are internal sites that aren't accessible from outside our network, so i don't see any issue for me.
  • by 140Mandak262Jamuna (970587) on Monday July 23, 2007 @12:03PM (#19957197) Journal
    From what I understand, the user visits a site and the browser dishes out the remembered username password to that site. Whenever that site requests the username and password, the browser would do so. If the site allows anyvisitor to post javascript code and it incorporates such posted code as part of its own page, then the user too can use javascript to request the username/password and use javascript to phone home.

    Now why any of it is Firefox specific? Any browser/ browser-helper-object /password help toolbar would do the same. If you have only one user name for a site, firefox will pre-fill the field. And the javascript can read it without a get or post. I would guess this behaviour of prefilling when the username is unique is probably a Firefox thing.

    Generally sites that allow users to post javascript code would be dangerous and should not be visited. But I would not know a priori these sites.

    • by makomk (752139)
      Bingo! Notice that, in the demo, the password form and the malicious page are on the same domain. JavaScript's security model is not designed to protect against situations like this - even if Firefox only filled in the password on the actual password form and not the malicious page, the malicious page could just load up the password form in a frame and use cross-frame scripting to retrieve the password. This is a non-event.
  • Safari (Score:3, Interesting)

    by ens0niq (883308) on Monday July 23, 2007 @12:18PM (#19957441)
  • a) If it is your machine you could just as well use a PGP encrypoted text file. If the website in question is still vulnerable, then it is a problem with the website, and changing browser won't help you.

    b) If it is not your machine, or if you think your machine is compromised, then you really shouldn't be typing your passwords in it to begin with.

    Seriously, find a strong passphrase and store the damn password list as a PGP encyrpted file on a USB pen drive. Only decrypt it on machines you trust. If you stil
  • The Great Law of Computer Security: Networked computers are insecure by nature. Everything that is stored within a networked computer can and will be compromised. Corollary: Always use a non-networked computer to store critical data, or better yet, no computer at all; a piece of paper inside your wallet is probably safer at most situations. Shortened version: Distrust all computers.
  • I have found all versions of FF from 1.0 to 2.0.0.4 tend to sometimes store a password unasked, and then automatically fill in the password (but not the username) on my next visit to the site.

    I have never heard of anyone else having this problem, and I cannot reliably reproduce it, but it does happen occasionally.
  • I am shamed to admit but I used to use the same password on many sites, only using unique passwords for those I regarded as important. It was only when at one job the employer terminated the employment of many staff (financial problems) and we were forced to leave the building without returning to our desks that I realised that saving passwords on a work computer was not a good thing (my then former colleagues would have had access to my password saves in firefox and thus access to my default pass).

    Since

  • Is there some reason that Firefox thought it was a good idea to automatically populate passwords for the user?

    It just seems to me like better design to require some sort of user interaction before coughing up a password.
  • Since disabling JavaScript really isn't an option these days, I guess my question is: Do using a Master Password (like I do) really protect you and will somebody from Mozilla comment, please. Seriously, since the advent of an integrated Master Password I've been letting my web browser remember passwords for me, but really put a dent in my confidence.
  • How to solve: Do the opposite of what's done with input type=file
    With input type=file, the script cannot write the value, and changing it to this from another type clears the value. With input type=password, have it so that changing it _from_ password _to_ another type clears the value, and so that the script cannot _read_ the value.
  • This exploit involves users visiting a malicious website. To learn more about this exploit, click here [p0wn3d.com].

  • to allow any APPLICATION to remember my passwords...

    That's what my brain is for. And for those of you without brains - and you know who you are - there are encrypted password managers for that.

  • IF you password protect your master password list then when you go to the "evil page" it will pop up a window asking for your master password. Furthermore to protect yourself even more you can install this plugin Master Password Timeout [mozilla.org] and set your password to time out after a very short period of time. This way every page you go to during your session that has a login you will have to enter you master password again anew.

    Is this a fix. No. Does this work on all OS's yes.

Life's the same, except for the shoes. - The Cars

Working...