Firefox 2.0 Password Manager Bug Exposes Passwords

zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."

Re:I sense a disturbance in the force...

[LordEd]

I tested the proof of concept attack on IE7 before posting. The attack failed. TFA even says

RCSR attacks are also actively targeting Microsoft Internet Explorer, however a flaw in Firefox makes the attack much more likely to succeed.

Go RTFA (the proof of concept one) using IE and reply if you get a different result. I didn't try it with IE6.

Re:passwords have failed

[irc.goatse.cx troll]

I strongly hope so. My recommendation would be public key authentication, the way SSH can do it. You'd need a private key (possibly on a crypto card, but a thumbdrive or floppy or whatever works fine) and a password for that. You authenticate to the key when launching your encryption agent, then any website that wants to verify who you are contacts your agent and does the authentication there.

Infinitely more secure than our current password system, a lot more convenient (think Microsoft Passport's bragged about convenience, except none of your data is stored on a central server), and all around the BetterWay(tm). The main downside if when roaming to another machine if you don't have your key, you don't have access. This can be addressed with either being able to fall back on a password (removing a lot of the security), or some means of authenticating to your home computer.

You could also add some sort of spec for feeding VCard info into the agent so that sites could use it to do a sort of shared profile feature, where you'd authorize a site to receive certain info and save you a lot of time filling stuff out.

Unfortunately this is just yet another thing on the list of "tech the way I think it should be", not anything on anyones todo lists.

Re:What an incredible gaffe

[Digitalia]

I tested IE6 and IE7 and the proof of concept page failed to work in both browsers. Neither browser passes the stored browser on to Google.

Have you personally tested this and found either browser to be vulnerable?

Re:Is it used?

[Firehed]

It's not your own browser to worry about. It's others browsers. My roommate decided to borrow my machine and was stupid enough to have Firefox remember his password on my machine to the main school portal. No biggie, except that the 'reveal all passwords' button exists (and, last I checked, required no authentication to use).

Of course, the truly telling moment was when I found out how lame his password is. Not that I'd expect anything different from someone dumb enough to store their password on someone else's computer in the first place.

So, in other words, passwords continue to be useless for people dumb enough to leave them lying around. I've used the same password for years and it's by no means secure (only just a bit more secure than using my first name) but it's never been an issue for me. The only time I've been concerned is when websites force me to come up with something that fits their requirements, because that means that I do end up writing it down somewhere. The sooner webmasters realize that setting specific requirements for passwords makes them less secure (my bank requires an alphanumeric PW 6-8 letters long with mixed case - that massively narrows down a brute force attack), the better. In the end, most of it comes down to user stupidity, so we might as well not limit the complexity of good users or force them to use something too obscure to remember (or, worse, say 'write this down in a place you can easily access').

no need to save passwords --generate em on the fly

[caseih]

There is a neat little piece of javascript at http://www.xs4all.nl/~jlpoutre/BoT/Javascript/Pass wordComposer/ [xs4all.nl] that lets you just think up a master password in your head and then use this applet to automatically generate a site-specific, unique hash and fill in the password field automatically. This way you can remember the passwords easily, you never have to save them or write them down. And if one site gets compromised, that password (the hash) won't work with any other site. The drawback is that if you don't have this piece of javascript then you can't get into your sites.

If it affects Firefox and Internet Explorer...

[ewl1217]

Does anyone know if Konqueror (using KDE Wallet) is affected? And what about other browsers, like Opera, Epiphany, and so on? I'd just like to know how common this type of exploit is.

Java ring?

[CustomDesigned]

Remember the Java ring? It had a processor and stored the private key in a tamper resistant case (erases instantly when case is compromised). PC programs would ask the Java ring to sign things. A virus could get bogus signatures while it was connected, but couldn't compromise the key. Unfortunately, it used a funky "One Wire" adaptor to get power and talk to a PC. If only they would reintroduce it in a USB format!

Re:Just 2.0 ?

[Svippy]

Firefox 3.0 does not seem to have the problem. But Firefox 3.0 is still in Alpha. So yeah.

Re:Is it used?

[makomk]

I use Konqueror/KWallet to remember most of my password. It's encrypted (requires a password to access), only fills in the forms on the page you originally hit "Save Password" on (inconvenient, but helps reduce the security issues), and closes the wallet (requiring re-entry of the password) when I lock my screen, my screensaver starts up, or after 10 minutes of non-use of the wallet. Slightly paranoid compared to Firefox, but it works.

Re:passwords have failed

[hackstraw]

Locks get picked. Cars get stolen. RFID can be disrupted, tampered with or your card can get stolen (I'm assuming you don't have RFID tags in your arm).

Someone across the world cannot pick a lock, steal a car, or disrupt an RFID tag, or any of those things.

None of those things expire, have to be changed, have to be mentally remembered, cannot easily be given to another person without disrupting my use of them.

Even simple locks that can be cut with simple wire cutters are more secure than a password because when a simple lock is used on something it symbolizes that it is something out of the ordinary.

Passwords are ordinary to the point of being obnoxious. Normal users don't associate them with security, but something that just happens all the time on computers. Even today, its fairly trivial to social engineer a password over the telephone, but even the blondest of secretaries would not give keys to basically anything.

You're lucky.

[Anonymous Coward]

You're actually having a better experience than many people.

About a year ago I helped my father-in-law switch to Firefox. He recent decided to try Firefox 2.0, but had a lot of problems with it. One was that it made his computer slow down a lot. So on the weekend when my wife and I went to visit, I took a look at his PC. Sure enough, it was terribly slow when using Firefox.

See, he has a machine with "only" 512 MB of RAM. What did Firefox do? According to Task Manager, it was consuming 1896 MB of RAM. I remember the number exactly, as it was 100 years before my son was born. Sure enough, the machine would thrash to a terrible extent. I removed all traces of Firefox, and reinstalled it. No third-party plugins were used, yet we found the exact same problems.

Our final solution was Opera. Unlike Firefox, he reports that it hasn't measured above 35 MB of RAM consumption.

Re:Many FF fans would say...

[Geoffreyerffoeg]

I don't think this is, per se, a bug. If you save a password for www.myspace.com, and there's a password field on www.myspace.com/*, the password manager should fill the field in. When they added the auto-fill feature (as opposed to, say, click a toolbar button to fill in passwords) they should've considered this.

And thus I think the million bug-finding eyes will be considerably less bleary if there are a million exploit-writing fingers. When you have anything that turns security into convenience like this, you should say "Hm. This could be exploited by foo method, and if this exploit becomes viable - if there's some popular website that allows arbitrary HTML - we should remove this feature for our users' sake."

Re:no need to save passwords --generate em on the

[TCM]

They're just using MD5, which you could reproduce on any computer. In fact, that's how I generate _all_ my passwords:

echo "user:domain:iteration:masterpass" | binary hash | base64 | take first 16 characters

It's a simple algorithm which you don't need to keep secret. Also, you can write down the made-up user/domain/iteration triplets. All you need to keep secure is the master password. Thanks to the iteration, you can lose a generated password without affecting the secrecy of your master password or all the other passwords.

A simpler version would be to take the ASCII hash directly as a password. However, using a binary hash and base64-encoding it allows you to cram more entropy per character into the resulting password.