Firefox 2.0 Password Manager Bug Exposes Passwords 315
zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."
Re:I sense a disturbance in the force... (Score:5, Interesting)
Re:passwords have failed (Score:5, Interesting)
Infinitely more secure than our current password system, a lot more convenient (think Microsoft Passport's bragged about convenience, except none of your data is stored on a central server), and all around the BetterWay(tm). The main downside if when roaming to another machine if you don't have your key, you don't have access. This can be addressed with either being able to fall back on a password (removing a lot of the security), or some means of authenticating to your home computer.
You could also add some sort of spec for feeding VCard info into the agent so that sites could use it to do a sort of shared profile feature, where you'd authorize a site to receive certain info and save you a lot of time filling stuff out.
Unfortunately this is just yet another thing on the list of "tech the way I think it should be", not anything on anyones todo lists.
Re:What an incredible gaffe (Score:2, Interesting)
Have you personally tested this and found either browser to be vulnerable?
Re:Is it used? (Score:4, Interesting)
Of course, the truly telling moment was when I found out how lame his password is. Not that I'd expect anything different from someone dumb enough to store their password on someone else's computer in the first place.
So, in other words, passwords continue to be useless for people dumb enough to leave them lying around. I've used the same password for years and it's by no means secure (only just a bit more secure than using my first name) but it's never been an issue for me. The only time I've been concerned is when websites force me to come up with something that fits their requirements, because that means that I do end up writing it down somewhere. The sooner webmasters realize that setting specific requirements for passwords makes them less secure (my bank requires an alphanumeric PW 6-8 letters long with mixed case - that massively narrows down a brute force attack), the better. In the end, most of it comes down to user stupidity, so we might as well not limit the complexity of good users or force them to use something too obscure to remember (or, worse, say 'write this down in a place you can easily access').
no need to save passwords --generate em on the fly (Score:5, Interesting)
If it affects Firefox and Internet Explorer... (Score:2, Interesting)
Java ring? (Score:5, Interesting)
Re:Just 2.0 ? (Score:0, Interesting)
Firefox 3.0 does not seem to have the problem. But Firefox 3.0 is still in Alpha. So yeah.
Re:Is it used? (Score:5, Interesting)
Re:passwords have failed (Score:3, Interesting)
Someone across the world cannot pick a lock, steal a car, or disrupt an RFID tag, or any of those things.
None of those things expire, have to be changed, have to be mentally remembered, cannot easily be given to another person without disrupting my use of them.
Even simple locks that can be cut with simple wire cutters are more secure than a password because when a simple lock is used on something it symbolizes that it is something out of the ordinary.
Passwords are ordinary to the point of being obnoxious. Normal users don't associate them with security, but something that just happens all the time on computers. Even today, its fairly trivial to social engineer a password over the telephone, but even the blondest of secretaries would not give keys to basically anything.
You're lucky. (Score:1, Interesting)
About a year ago I helped my father-in-law switch to Firefox. He recent decided to try Firefox 2.0, but had a lot of problems with it. One was that it made his computer slow down a lot. So on the weekend when my wife and I went to visit, I took a look at his PC. Sure enough, it was terribly slow when using Firefox.
See, he has a machine with "only" 512 MB of RAM. What did Firefox do? According to Task Manager, it was consuming 1896 MB of RAM. I remember the number exactly, as it was 100 years before my son was born. Sure enough, the machine would thrash to a terrible extent. I removed all traces of Firefox, and reinstalled it. No third-party plugins were used, yet we found the exact same problems.
Our final solution was Opera. Unlike Firefox, he reports that it hasn't measured above 35 MB of RAM consumption.
Re:Many FF fans would say... (Score:4, Interesting)
And thus I think the million bug-finding eyes will be considerably less bleary if there are a million exploit-writing fingers. When you have anything that turns security into convenience like this, you should say "Hm. This could be exploited by foo method, and if this exploit becomes viable - if there's some popular website that allows arbitrary HTML - we should remove this feature for our users' sake."
Re:no need to save passwords --generate em on the (Score:3, Interesting)
echo "user:domain:iteration:masterpass" | binary hash | base64 | take first 16 characters
It's a simple algorithm which you don't need to keep secret. Also, you can write down the made-up user/domain/iteration triplets. All you need to keep secure is the master password. Thanks to the iteration, you can lose a generated password without affecting the secrecy of your master password or all the other passwords.
A simpler version would be to take the ASCII hash directly as a password. However, using a binary hash and base64-encoding it allows you to cram more entropy per character into the resulting password.