Firefox 2.0 Password Manager Bug Exposes Passwords

Firefox 2.0 Password Manager Bug Exposes Passwords 315

Posted by kdawson on Tuesday November 21, 2006 @07:25PM from the be-careful-out-there dept.

zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."

Firefox 2.0 Password Manager Bug Exposes Passwords

This discussion has been archived. No new comments can be posted.

Search 315 Comments Log In/Create an Account

Comments Filter:

But but but.... (Score:5, Funny)

by Anonymous Coward writes: on Tuesday November 21, 2006 @07:29PM (#16941742)

...secure by design!!

I sense a disturbance in the force... (Score:5, Funny)

by LordEd ( 840443 ) writes: on Tuesday November 21, 2006 @07:33PM (#16941786)

...as though millions of Firefox users were laughing at IE users, and were suddenly silenced.

Cue "still more secure" arguments now.

stopgap measures include... (Score:4, Funny)

by Gary W. Longsine ( 124661 ) writes: on Tuesday November 21, 2006 @07:39PM (#16941876) Homepage Journal

...using Microsoft Internet Explorer. AAaaaaaaaaaaaargh!

Re:Is it used? (Score:2, Funny)

by wumpus188 ( 657540 ) writes: on Tuesday November 21, 2006 @07:44PM (#16941966)

That's what this new service is for. Let others remember your passwords!

RTFA? (Score:2, Funny)

by smittyoneeach ( 243267 ) * writes: on Tuesday November 21, 2006 @07:44PM (#16941968) Homepage Journal

RTFA?
The hell, you say.
'Tis slashdot, bucko:
No read-read today.
Always for good suds we pray.
Burma Shave

Re:passwords have failed (Score:2, Funny)

by Anonymous Coward writes: on Tuesday November 21, 2006 @07:45PM (#16941980)

Did you have a proposed solution? Or were just cryin' like a little bitch with a skinned knee and shit [imdb.com]?

Obligatory disclaimer! (Score:2, Funny)

by FaustIN ( 1030298 ) writes: <faustinroman@noSPam.gmail.com> on Tuesday November 21, 2006 @08:10PM (#16942342)

Aha!... that's why sometimes I don't remember posting bad language comments!
Thought until now of multiple personality but mystery solved! It was just my browser!...
PS: I shall not be held accountable for ANY of my comments...

Re:passwords have failed (Score:1, Funny)

by Anonymous Coward writes: on Tuesday November 21, 2006 @08:16PM (#16942446)

I know! Let's use a centralized auth. server! We will name it Passport!!! [wikipedia.org]- ...damn never mind

Thank God! (Score:3, Funny)

by PHAEDRU5 ( 213667 ) writes: <instascreed.gmail@com> on Tuesday November 21, 2006 @10:07PM (#16943866) Homepage

I have MS password management to control access to my Firefox password manager.

Phew!

Re:I sense a disturbance in the force... (Score:5, Funny)

by ticklish2day ( 575989 ) writes: on Tuesday November 21, 2006 @11:03PM (#16944388)

I switched to IE7 a week ago after Vista RTMd. I don't miss FF. I've also been running without anti-virus for the entire week. I ran a system virus scan today and ZILCH - no viruses. No spyware or adware either. It might have to do with the fact that my machine isn't connected to a network...

Re:Come on... (Score:2, Funny)

by Safiire Arrowny ( 596720 ) writes: on Wednesday November 22, 2006 @04:19AM (#16946460) Homepage

Actually, I posted that anonymously because I couldn't remember my username.

Re:passwords have failed (Score:2, Funny)

by wud ( 709053 ) writes: on Wednesday November 22, 2006 @08:27AM (#16947858) Homepage Journal

i store all my trivial passwords on bugmenot.com

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Firefox 2.0 Password Manager Bug Exposes Passwords 315

Firefox 2.0 Password Manager Bug Exposes Passwords More Login

Firefox 2.0 Password Manager Bug Exposes Passwords

But but but.... (Score:5, Funny)

I sense a disturbance in the force... (Score:5, Funny)

stopgap measures include... (Score:4, Funny)

Re:Is it used? (Score:2, Funny)

RTFA? (Score:2, Funny)

Re:passwords have failed (Score:2, Funny)

Obligatory disclaimer! (Score:2, Funny)

Re:passwords have failed (Score:1, Funny)

Thank God! (Score:3, Funny)

Re:I sense a disturbance in the force... (Score:5, Funny)

Re:Come on... (Score:2, Funny)

Re:passwords have failed (Score:2, Funny)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot