Password Vulnerability In Firefox 2.0.0.5 176
Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."
Is this OS independent? (Score:4, Interesting)
Re:Is this OS independent? (Score:5, Informative)
Re: (Score:3, Funny)
Well...actually I can't. If you excuse me, I'll go back to my corner where I can dialog with my shadow.
Re:Is this OS independent? (Score:5, Funny)
- RG>
Re:Is this OS independent? (Score:5, Informative)
This does not expose all your passwords, so if you have you bank password stored, it's safe, unless your bank has pages that allow users to post custom html and javascript.
Re: (Score:3, Insightful)
Re:Is this OS independent? (Score:5, Funny)
Re: (Score:3, Funny)
Dork.
Re: (Score:2)
While you're logged on, could you send me a couple of bucks for the weekend? If there's anything left, that is.
Re: (Score:2)
Granted my IMs all store my password, because I want them to log in automatically, but I just simply do not trust a webbrowser to keep any of my passwords.
Re: (Score:2)
You know... this is one reason why I don't store ANY of my passwords for webpages anywhere but my head.
Which is worse? Keeping the same password everywhere, or risking that there might be a hole in your browser at some point? (Or that somebody might hack into your box and copy the entire password file.) I'll have to say the first.
Still, keeping your bank password (and other passwords that rea
Re:Is this OS independent? (Score:5, Informative)
Well this story kind of points out why obviously, this statement isn't necessarily true.
Oh really? (Score:4, Informative)
Re: (Score:2)
Of course, I love when I use a "I forgot my password" program and they email me my password. It's like, "Um..... thanks?"
I swear... seriously, everyone seems to have really poor password security, so I have a standard throw-away password for random sites that I don't particularly care if they go one way or the other.
Re: (Score:2, Insightful)
Re: (Score:3, Informative)
In Rapidweather Remaster of Knoppix Linux [geocities.com], my livecd linux distro, I always set up Firefox _not_ to remember passwords.
I put Firefox 2.0.0.5 in the Remaster [blogspot.com] just last week.
Also, when the user closes Firefox, I have it set up so the entire ~/.mozilla is deleted. I presume that is where any password would reside. In the event of a Firefox crash, the ~/.mozilla is not deleted without an OK from the user. There is a dialog box that comes up and asks "Did you want
Re: (Score:2, Informative)
Note that the master password on it's own still is not secure because you only need to type it in once until you restart your browser but combined with the add-on Master Password Timeout you are relatively safe. Just don't browse dodgy websites minutes after logging in.
Dupe? (Score:5, Informative)
Re: (Score:1)
Dupe? Of course! (Score:2, Informative)
Re: (Score:2)
Same solution (for FF) - which I got from a post in the previous story (thank you): Secure Login [mozilla.org].
Dupe? What else! (Score:2)
Ohmygod. Dupes belong to the culture of Slashdot, they are the cherry on the cake for all the people who don't get a message at the first time, or who make a living pointing out dupes on /.
For what it's worth, messages with a subject ~ "*[Dd]upe*\!" are the most common dupes, and should be avoided at all cost.
We should stop pointing out dupes and start slashing non-dupes. That would reduce the traffic by at least 24.3% and would allow /. to postpone the next harddisk purchase by a month or two, or one c
Do not save passwords (Score:1, Insightful)
Re:Do not save passwords (Score:5, Insightful)
Re:Do not save passwords (Score:5, Informative)
I would also recommend installing "Master Password Timeout" which will re-prompt you periodically for the password.
Re: (Score:3, Insightful)
Suppose you signup for online banking and setup a password. Then you signup for some stupid website and use the same password. The problem is, you don't know if you can trust that 2nd site with your online banking password. They may just be phishing for passwords. Or maybe they are honest but incompetent enough to store your password in the DB in plain text, conveniently waiting there for the next hacker to locate.
The solution: Use separate
Re: (Score:2)
I really don't understand why this is considered insecure. My front door gets much fewer intrusion attempts than my firewall, and I have a very secure system in place there to restrict access (a deadbolt). If someone did break into my house and stole my password list, I'd know as soon as I got home, rather than having to wait until I see suspicious activity on my accounts. I get why keeping your work password on a sticky-note in your cubicle is a bad idea, but I don
Re: (Score:2)
Re: (Score:2)
If you use the master password, they are not. Regardless of whether you have already been prompted for it, it will ask again if you try to reveal passwords in the list "show passwords".
Re:Do not save passwords (Score:4, Informative)
You can set master password to truely encrypt them. But if you let people to access your harddrive, you can install keyloggers to steal the master password also. Or any password, no matter do you save it or not.
Re: (Score:2, Funny)
It stores the password in plane text (at least it used to) for anyone with physical access to see if they know where to look (and it's not hard to figure out where to look). I have stolen many a passwords this way. It is worse than writing your password down and putting it in your desk.
Even worse, because it uses plane text, you are helping the terrorists, who can now hijack your passwords and fly them into skyscrapers!
Please Help!! (Score:5, Funny)
FUD (Score:5, Informative)
Re: (Score:2)
Shit, that's totally insecure! Way to go, Mozilla! [nationalskyads.com]
Re:Do not save passwords (Score:5, Funny)
Re: (Score:2)
No Problem (Score:2)
NoScript (Score:5, Informative)
Repeat ad nauseum.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
-nB
Re: (Score:2)
Re:NoScript (Score:5, Insightful)
If I go to, say, Blogspot.com with FF and I'm a member, I probably log in and save my password with FF. If I have NoScript and I visit the page frequently and post lots of comments, I also probably have blogspot.com on the trusted site list. If I go to a malicious blog (well, alright, a blog that exploits this vulnerability -- they're all malicious) then a) I'll be on a site that the password manager trusts and I'll be on a site that NoScript trusts.
Re: (Score:2)
If the website allows that kind of malicious behavior, then they need to change.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
True, but you only add sites you trust which severely lowers the chances.
One can certainly save their passwords. Just don't save them directly in an monolithic application which is highly interactive with the Internet such as a web browser. Use something like a virtual wallet such as KDE's Kwallet (GNOME has a similar feature). This way you assign complex passwords (8 random characters, alpha-numeric, CaSe SeNsiTiVe) e.g. made with the c
Passwords in general (Score:5, Insightful)
This is why we need something better that text passwords for authentication on the web. Most people can't remember all the passwords they use on every site they go to. To cope with this, Average Users do either one of two things - use the password remembering method in their browser of choice or use the same (weak) password for everything. Granted, there are some decent password management utilities out there, but your Average User would rather use a tool they already have.
Re: (Score:2)
OpenID (Score:2)
Again? (Score:2, Insightful)
Stealing passwords? Hardly... (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
I assume you are making a dig at the anti-copyright crowd. The distinction you fail to see is that copyrighted works are published, letting recipients know exactly what is in them. It is merely the monopoly on copying and creation of derivative works that is protected by law in order to give the public an incentive to create new works. Passwords are opposite in that they are kept secret for a good reason. Also they p
NoScript (Score:2)
That said, is there a good Add-on for Firefox that handles password-management more securely? Something that keeps them store
An extension to help you... (Score:2, Informative)
Re: (Score:2)
Recommended if you are lazy (as i am) and allow FF to manage your passwords.
Not so critical (Score:2)
Re: (Score:2)
Is it Firefox specific? (Score:4, Informative)
Now why any of it is Firefox specific? Any browser/ browser-helper-object /password help toolbar would do the same. If you have only one user name for a site, firefox will pre-fill the field. And the javascript can read it without a get or post. I would guess this behaviour of prefilling when the username is unique is probably a Firefox thing.
Generally sites that allow users to post javascript code would be dangerous and should not be visited. But I would not know a priori these sites.
Re: (Score:2)
Safari (Score:3, Interesting)
Re:Safari (Score:4, Interesting)
Trust (Score:2)
b) If it is not your machine, or if you think your machine is compromised, then you really shouldn't be typing your passwords in it to begin with.
Seriously, find a strong passphrase and store the damn password list as a PGP encyrpted file on a USB pen drive. Only decrypt it on machines you trust. If you stil
the great law of computer security (Score:2)
Not the only issue (Score:2)
I have never heard of anyone else having this problem, and I cannot reliably reproduce it, but it does happen occasionally.
never need to remember unique passwords per site (Score:2)
Since
Stupid Design (Score:2)
It just seems to me like better design to require some sort of user interaction before coughing up a password.
Master Password (Score:2)
How to solve this (Score:2)
With input type=file, the script cannot write the value, and changing it to this from another type clears the value. With input type=password, have it so that changing it _from_ password _to_ another type clears the value, and so that the script cannot _read_ the value.
Learn more about this exploit (Score:2)
Like I'm dumb enough (Score:2)
That's what my brain is for. And for those of you without brains - and you know who you are - there are encrypted password managers for that.
Sorry to come in late but there catch to this (Score:2)
Is this a fix. No. Does this work on all OS's yes.
Re:Password Remember Function (Score:5, Insightful)
Like anywhere else, you need to make a trade off between usability and security. Sure, it's not perfectly secure, but it's not worth it to me to have to remember the one off junk password I made up for NYTimes.com.
The real issue, as usual, is javascript. I use "NoScript" and am careful about which sites I allow to execute scripts at all. That will do more for your security than anything else.
Low security passwords (Score:4, Funny)
Re: (Score:1)
Re: (Score:2)
I actually think gp is right to one extent.
For the sites I don't care about I use the same generic old password that I have used from 2003, I mean, if they are stolen I just risk a bunch of of dummy email addresses and other crappy services I don't really care too much about. For the things that matter I keep though and strong passwords that I better remember and not "write them down" or let a browser keep them... Often things that matter are just 3 so memory is not an obstacle...
Re: (Score:2)
Re:Password Remember Function (Score:5, Insightful)
You'd probably begin to care after someone "hacks" your MySpace page and posts distasteful or illegal language or images. Explaining all of that to a police officer or a judge and jury is rife with peril.
But the other point I think is pertinent here is that Firefox is really going for the common man crowd -- you don't buy a full-page ad in the New York Times if you want only geeks. So knowing that the average joe will be using Firefox and will happily save sensitive information if encouraged to do so (as one is with Firefox), that particular feature really has to be pretty rock-solid (or at the very least, not vulnerable to a pretty basic and classic javascript exploit).
Don't get me wrong -- I love Firefox and use it almost exclusively. But this is the kind of thing that, whether truly a hazard to most users or not, can scare people away if it is carelessly presented to the public. Or if it really is a risk.
Re: (Score:2)
Re:Password Remember Function (Score:5, Funny)
Re:Password Remember Function (Score:5, Insightful)
If you use many websites that require you to log in you don't have many options. You could use one password for all of them, in which case a breach on one account by an attacker essentially breaches all other accounts that they discover, or you can use unique passwords on each site, in which case it soon becomes impossible to remember them all accurately - especially for sites that you don't use very often. Additionally, some sites have rules around the number of upper case characters, special characters, digits, etc. in passwords, and these can be particularly difficult to remember.
Certainly people are foolish if they store logins for bank accounts and the like in the password manager, but most people only have one or two really important logins.
People who use the remember passwords functions are not idiots. People who expect the "remember passwords" functionality to be secure are not idiots either - if an application used by millions includes such functionality one would expect the developers to have secured it.
Re: (Score:2, Insightful)
Re: (Score:2)
Care to back that up?
Re: (Score:3, Insightful)
Or Firefox for that matter (Score:4, Funny)
Wimp (Score:3, Funny)
Re:Wimp (Score:5, Funny)
netcat is for men.
Re:Wimp (Score:5, Funny)
Re:Wimp (Score:5, Funny)
Yeah, but can you generate outbound traffic?
Re: (Score:3, Funny)
Re: (Score:2)
Manually?! Wouldn't your hands be otherwise engaged?
Re: (Score:1)
I'm going log in to your email and send your mother all the gay porn I can find.
That would be found in a tarball of your home directory.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Insightful)
It also means that bugs get fixed faster and that if mozilla stops supporting a platform someone else can, and that we can have things like swiftfox available, so I think it is a good trade.
But security through obscurity doesn't really work too well anyways...
Re: (Score:2, Insightful)
This one was a "how the browser works" based on visible behaviour, so it would have been found in a closed-source app as well.
Re:You can always do this kind of stuff with cooki (Score:2)
Err, I don't know about myspace, but any half-decently programmed website (hopefully the majority) won't be storing anything in your cookies other than trivial configurations preferences and a session key. Certainly not your password. While it's possible to hijack the session by reading the session key (and there are ways of preventing that on the server side too), that won't get you the user's password. Unless the site in question is incredibly badly programmed, in which cae you're probably lost anyway.
Re: (Score:2)
Re: (Score:2)
http://kb.mozillazine.org/Signon.prefillForms [mozillazine.org]
IN firefox, enter
about:config
type prefill to seach on this term, and double click the entry above to go to false.
You will then have to double click on a field before password manager provides any input to the page.