Firefox 2.0 Password Manager Bug Exposes Passwords 315
zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."
passwords have failed (Score:5, Insightful)
Now that its 2006, can we now use a better form of "authentication" than a few ascii characters?
Every website wants you to have a password. You know, for important stuff like making a purchase because you use a password for a purchase at a brick and mortar store, right?
Well, since its a good practice to use unique passwords, and users get forgetful, then they use the web browser tool to store their passwords, then they forget their passwords, and when they use another computer or update their existing one, their tool does not work, and if it does work, then the browser gives away your passwords.
I don't use a password to get into my home, I don't start my car with a password, I don't use a password to get into my work. In fact, I don't even have a key for my work, server room, nothing (RFID). But all day at work, these programs continually ask for my password to the point that I dont consider my password secure because I have to change it, and use it so much, I'm desensisized (sp?) and say who cares?
Can we get over passwords soon?
Is it used? (Score:5, Insightful)
Arrrrr (Score:4, Insightful)
Worst idea ever. The question isn't why wasn't this discovered earlier, but who decided this was a good idea in the first place?
Sounds more like a bug in myspace (Score:2, Insightful)
Allowing full html coding, including embedding java or javascript, is an invitation for the unscrupulous. That's one of the 500 reasons I can think of to never visit a website like myspace.
That said, much like language, the web is defined by its users. While I don't feel like it's Firefox's responsibility to fix issues like this, they'd do best to be aware of it. It wouldn't be a bad idea at all to tie password remembering to the exact url (at least everything up to the "?") by default.
Re:passwords have failed (Score:5, Insightful)
How far you go, it doesn't matter. There will always be a trade-off between security and convenience. Personally, I trust a good lock more than I trust RFID. But even if you go all the way to biometrics, there will always be way a to hack the system.
Even so, this Firefox security flaw is a nasty one.
Not a lot of better options (Score:5, Insightful)
I was disappointed to hear of this vulnerability, because I use Google Browser Sync pretty heavily for keeping track of cookies and trivial passwords, and to be honest I'm not really sure what I'd do without it. More important passwords I keep in an old Palm Pilot using a GPLed password-management and generation program on it, but recalling passwords from it is a pain (takes several minutes to get Palm out, type in master password, etc.).
Re:What an incredible gaffe (Score:3, Insightful)
Re:Arrrrr (Score:5, Insightful)
I'd be perfectly happy with this becoming part of the accepted security model for web applications, just like "don't let user-generated content include SCRIPT tags with arbitrary content".
Re:passwords have failed (Score:5, Insightful)
Any site that uses financial information (my bank, eBay, PayPal, Amazon, or whatever I'm buying, my own servers, etc.) doesn't get the password stored in any form of password manager. On the other hand, inconsequential services like news sites, LUG sites, aquarium discussion groups and the like may have the passwords stored. If it's important, don't store it, don't write it on a post-it note, don't tell your friends.....people cannot be trusted.
It seems that any security protocol can be circumvented by exploiting the end users who use them poorly or rely on something other than common sense for security.
It took all of about 5 minutes to explain phishing to my girlfriend. Now, she's almost 1/104358506th as paranoid as I am, which is a good start.
Now, I'm out of tinfoil......off to the store.
Many FF fans would say... (Score:5, Insightful)
OK, jokes aside, someone just released an exploit into the wild which *can't work on IE*. And they presumably still thought they were going to get something of value on it. Hiya, FireFox, welcome to the "visible enough to be a target" club. And it only gets worse. I hope your million bug finding eyes are bright and perky because it only gets worse and it never, ever stops.
Come on... (Score:1, Insightful)
Re:just update it? (Score:3, Insightful)
Internet Explorer 6/7, Why The Proof Was for FF (Score:2, Insightful)
The attack at MySpace worked against IE users because many were lured into typing their passwords into a form. I saw this in action. It was almost indistinguishable from the legitimate version.
The Bugzilla reference to IE 6/7 was not a comment on the info-svc proof, but the proof at
https://bugzilla.mozilla.org/attachment.cgi?id=24
That form does some interesting things in both browsers, but it does not reflect a normal client/server situation. IE's password manager behaves differently from Firefox when dealing with forms on more than one page, as in the info-svc proof.
In my opinion, both browsers should raise a warning when a cross-site form is loaded, or have that option.
Enjoy
Robert Chapin
Chapin Information Services, Inc.
Re:Many FF fans would say... (Score:5, Insightful)
Re:Is it used? (Score:4, Insightful)
Saving passwords absolutely should be a browser feature; it's a feature I use all the time.
However, I too am ashamed that such a big bug - or rather, design flaw - could make it into Firefox. I understand the usefulness of being able to use the same saved password information across multiple login forms on one site, but surely someone should have realized the danger here. I mean, these are browser developers. They should have known better.
Hopefully they'll figure out a solution soon.
Re:Why I'm not using FF 2.0 (Score:4, Insightful)
Editing about:config is nearly as fast, but finding out that there is a value to edit, what it's called and what to set it to is a damn sight slower...