Firefox 2.0 Password Manager Bug Exposes Passwords 315
zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."
But but but.... (Score:5, Funny)
I sense a disturbance in the force... (Score:5, Funny)
Cue "still more secure" arguments now.
Re: (Score:2)
Re: (Score:2)
Cue "still more secure" arguments now.
Also, "it will be fixed by tommorow as compared
to Microsoft's slow response" arguments.
Re:I sense a disturbance in the force... (Score:4, Informative)
Please look at the bug report. Submission of testcase file is November 12 (9 days ago)
From TFA: The clock is ticking... will Firefox beat IE's response time?
Re:I sense a disturbance in the force... (Score:5, Funny)
Re:I sense a disturbance in the force... (Score:5, Interesting)
Re: (Score:2, Informative)
Re:I sense a disturbance in the force... (Score:4, Informative)
HTML forms work just fine without Javascript. And yes, you're effectively tricked into clicking an action button. If you look at the sample "injected HTML", they make it look like the user is clicking a Flash movie when in fact they're clicking a blank image-type <input> on the page. This submits the GET-style form. So long as the user is "tricked" into clicking something, and forms are allowed, this could steal the password from the password manager.
The code is available in the text box at the bottom of the this page [info-svc.com]. Neither Flash nor Javascript is required to trigger the exploit, just a click from a user in a attacker-defined position on the page.
Many FF fans would say... (Score:5, Insightful)
OK, jokes aside, someone just released an exploit into the wild which *can't work on IE*. And they presumably still thought they were going to get something of value on it. Hiya, FireFox, welcome to the "visible enough to be a target" club. And it only gets worse. I hope your million bug finding eyes are bright and perky because it only gets worse and it never, ever stops.
Re:Many FF fans would say... (Score:4, Interesting)
And thus I think the million bug-finding eyes will be considerably less bleary if there are a million exploit-writing fingers. When you have anything that turns security into convenience like this, you should say "Hm. This could be exploited by foo method, and if this exploit becomes viable - if there's some popular website that allows arbitrary HTML - we should remove this feature for our users' sake."
Re:Many FF fans would say... (Score:5, Insightful)
Internet Explorer 6/7, Why The Proof Was for FF (Score:2, Insightful)
The attack at MySpace worked against IE users because many were lured into typing their passwords into a form. I saw this in action. It was almost indistinguishable from the legitimate version.
The Bugzilla reference to IE 6/7 was not a comment on the info-svc proof, but the proof at
https://bugzilla.mozilla.org/attachment.cgi?id=245 426 [mozilla.org]
That form does some interesting things in both browsers, but it does not reflect a normal client/server situation.
RTFA? (Score:2, Funny)
The hell, you say.
'Tis slashdot, bucko:
No read-read today.
Always for good suds we pray.
Burma Shave
Re: (Score:2)
Re: (Score:2)
But if anybody cares, I'm still a Firefox user. I never use the save password feature.
Re: (Score:2)
Does anyone actually really USE the password manager on these things???
I mean, the first time I fire up a browser, and it annoys me with that banner asking if PWM can help me with my passwords, I immediately say no...and go in preferences and turn the fucker off.
What an irritant......
Re: (Score:2)
Re: (Score:2)
Or would you prefer the 1 user multi-lined wordy edition?
Would you like me to grab the domain heyslashdotitrieditandfoundie6didntfail.com and make a page/blog entry t
passwords have failed (Score:5, Insightful)
Now that its 2006, can we now use a better form of "authentication" than a few ascii characters?
Every website wants you to have a password. You know, for important stuff like making a purchase because you use a password for a purchase at a brick and mortar store, right?
Well, since its a good practice to use unique passwords, and users get forgetful, then they use the web browser tool to store their passwords, then they forget their passwords, and when they use another computer or update their existing one, their tool does not work, and if it does work, then the browser gives away your passwords.
I don't use a password to get into my home, I don't start my car with a password, I don't use a password to get into my work. In fact, I don't even have a key for my work, server room, nothing (RFID). But all day at work, these programs continually ask for my password to the point that I dont consider my password secure because I have to change it, and use it so much, I'm desensisized (sp?) and say who cares?
Can we get over passwords soon?
Re: (Score:2, Funny)
Re: (Score:2)
Re:passwords have failed (Score:5, Insightful)
How far you go, it doesn't matter. There will always be a trade-off between security and convenience. Personally, I trust a good lock more than I trust RFID. But even if you go all the way to biometrics, there will always be way a to hack the system.
Even so, this Firefox security flaw is a nasty one.
Re: (Score:3, Interesting)
Someone across the world cannot pick a lock, steal a car, or disrupt an RFID tag, or any of those things.
None of those things expire, have to be changed, have to be mentally remembered, cannot easily be given to another person without disrupting my use of them.
Even simple locks that can be cut with simple wire cutters are more secure than a password because
Re: (Score:2)
Re: (Score:2)
http://sysadminco.com/vuln/ [sysadminco.com]
No intervention needed on payload page. Javascript does it all automagically.
Re:passwords have failed (Score:5, Interesting)
Infinitely more secure than our current password system, a lot more convenient (think Microsoft Passport's bragged about convenience, except none of your data is stored on a central server), and all around the BetterWay(tm). The main downside if when roaming to another machine if you don't have your key, you don't have access. This can be addressed with either being able to fall back on a password (removing a lot of the security), or some means of authenticating to your home computer.
You could also add some sort of spec for feeding VCard info into the agent so that sites could use it to do a sort of shared profile feature, where you'd authorize a site to receive certain info and save you a lot of time filling stuff out.
Unfortunately this is just yet another thing on the list of "tech the way I think it should be", not anything on anyones todo lists.
Re: (Score:2)
USB flash drives are becoming really popular. Some standard location on a flash drive to place a private/public key pair, would mean you could provide credentials just by sitting down at a PC and plugging in your flash drive. Having said that, then means losing the drive is... really, really bad. Also means a virus infected system could grab your keys, but then that's more or less a risk with password
Java ring? (Score:5, Interesting)
Re: (Score:2)
They do sell USB adapters for iButtons - see http://www.maxim-ic.com/products/ibutton/products/ adapters.cfm [maxim-ic.com]. However it looks like the crypto iButton itself has been discontinued. I hope that someone does release a similar product in the future, before the battery dies in the one I am currently using.
Re: (Score:2)
Re:passwords have failed (Score:5, Insightful)
Any site that uses financial information (my bank, eBay, PayPal, Amazon, or whatever I'm buying, my own servers, etc.) doesn't get the password stored in any form of password manager. On the other hand, inconsequential services like news sites, LUG sites, aquarium discussion groups and the like may have the passwords stored. If it's important, don't store it, don't write it on a post-it note, don't tell your friends.....people cannot be trusted.
It seems that any security protocol can be circumvented by exploiting the end users who use them poorly or rely on something other than common sense for security.
It took all of about 5 minutes to explain phishing to my girlfriend. Now, she's almost 1/104358506th as paranoid as I am, which is a good start.
Now, I'm out of tinfoil......off to the store.
Re: (Score:2)
one to log onto my machine. One to decrypt an encrypted filesystem, and the third is for application in which I store the information. With OS X I can literally click twice, type in both passwords and can look up the forgotten pas
Re: (Score:2)
Honestly a print out (with the actual passwords stored in an encrypted file that is only accessed when a new password is added or a new printout is needed) is probably more s
OpenID? (Score:2)
I'm not sure how this would protect against this kind of vulnerability, but I am convin
Re: (Score:2)
What would you give them? Fingerprint? SSN? Photo? Voiceprint? Those are all things you cannot change. With an ASCII password, at least you can change it or throw it away.
Re: (Score:2)
Is it used? (Score:5, Insightful)
Re: (Score:2, Funny)
Re: (Score:2)
Saving passwords should not be a browser feature. I am ashamed that such a big bug could make it into firefox. Hopefully staying on 1.5 and not using any sort of "password management" (except cookies) will keep me safe from this. At least it will probably be ficed today, if it hasn't already been fixed.
Re:Is it used? (Score:4, Insightful)
Saving passwords absolutely should be a browser feature; it's a feature I use all the time.
However, I too am ashamed that such a big bug - or rather, design flaw - could make it into Firefox. I understand the usefulness of being able to use the same saved password information across multiple login forms on one site, but surely someone should have realized the danger here. I mean, these are browser developers. They should have known better.
Hopefully they'll figure out a solution soon.
Not a lot of better options (Score:5, Insightful)
I was disappointed to hear of this vulnerability, because I use Google Browser Sync pretty heavily for keeping track of cookies and trivial passwords, and to be honest I'm not really sure what I'd do without it. More important passwords I keep in an old Palm Pilot using a GPLed password-management and generation program on it, but recalling passwords from it is a pain (takes several minutes to get Palm out, type in master password, etc.).
Re: (Score:2)
I was puzzled to hear of this vulnerability. I am certain this exact topic has come up before in relation to saving passwords, over a year ago. I thought it was going to be addressed by making the forms non-submittable by JavaScript, and giving the input fields fake blank values when JavaScript read them - of course, only when the form information was automatically entered by the browser.
Did I just imagine all that, or can somebody else confirm this
Re:Is it used? (Score:4, Interesting)
Of course, the truly telling moment was when I found out how lame his password is. Not that I'd expect anything different from someone dumb enough to store their password on someone else's computer in the first place.
So, in other words, passwords continue to be useless for people dumb enough to leave them lying around. I've used the same password for years and it's by no means secure (only just a bit more secure than using my first name) but it's never been an issue for me. The only time I've been concerned is when websites force me to come up with something that fits their requirements, because that means that I do end up writing it down somewhere. The sooner webmasters realize that setting specific requirements for passwords makes them less secure (my bank requires an alphanumeric PW 6-8 letters long with mixed case - that massively narrows down a brute force attack), the better. In the end, most of it comes down to user stupidity, so we might as well not limit the complexity of good users or force them to use something too obscure to remember (or, worse, say 'write this down in a place you can easily access').
Re:Is it used? (Score:5, Informative)
Re: (Score:2)
so, what was it?
Re: (Score:2)
No, I won't tell you the school or the username. But if you want to dig around, go ahead - my name and college are certainly out there if you want to look at his course schedule.
Opera Vulnerable? (Score:2)
Re: (Score:3, Informative)
It's why this vulnerability is so stupid, all the FF team had to do was copy the way Opera does it.
In order to use the password manager, you need to click on the wand, or hit ctrl & enter together.
The ctrl enter shortcut is a beautiful idea, because after recalling the password, it "clicks" the button that currently has focus, which is usually the "login" button, so most o
Re:Is it used? (Score:5, Interesting)
Re: (Score:2)
I use quite common scheme - I don't care about remembering my passwords at all if they are related to not so critical things like my Slashdot account, Bugzilla account for project Foo etc. etc. - I genera
Re: (Score:2)
It's sad that you don't have a loving, trusting relationship with your browser. Perhaps you should get some therapy...
Re: (Score:2)
2) Banking sites don't seem to get their PWs saved anyway, as much as I'd like them to.
3) in the end, your ISP has your PWs, so if ur important enuf, ppl can get your stuff.
just update it? (Score:2)
Re: (Score:3, Insightful)
Arrrrr (Score:4, Insightful)
Worst idea ever. The question isn't why wasn't this discovered earlier, but who decided this was a good idea in the first place?
Re: (Score:2)
Re: (Score:2)
Yes, this vulnerability is a problem and needs to be fixed, but let's not throw the baby out with the bathwater.
And for you, Mr-I-Dont-Like-It
Re: (Score:2)
Agreed it should check the form action (Score:2)
Re: (Score:2)
I also don't want to cultivate habits that'd give out my password to firefox on whoever's machine I'm on.
Re:Arrrrr (Score:5, Insightful)
I'd be perfectly happy with this becoming part of the accepted security model for web applications, just like "don't let user-generated content include SCRIPT tags with arbitrary content".
Re: (Score:2)
> that required passwords, included user-generated content, and allowed that user-generated content
> to include password fields.
So the bug isn't really in Firefox at all. It's in the Web sites.
Re: (Score:2)
>>The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain.
>Worst idea ever. The question isn't why wasn't this discovered earlier, but who decided this was a good idea in the first place?
Well, if they read
Not just Firefox 2.0, also IE6/7 and earlier F'fox (Score:5, Informative)
So much for me being smug about going back to Firefox 1.5!
Re:Not just Firefox 2.0, also IE6/7 and earlier F' (Score:2)
Re: (Score:3, Informative)
They say it exists in IE 6/7, so they don't look like the only fool.
So how do they explain the fact that it really 'doesn't exist' in IE 6/7, and doesn't this make them look even more foolish?
And no I won't defend IE6 or even IE7. But keep the facts where they are; this is not an IE exploit.
stopgap measures include... (Score:4, Funny)
Re: (Score:2)
Re: (Score:2)
Dis-satisfied with v2.0 (Score:4, Informative)
It also took me a while to figure out how to remove the close button from each tab [wordpress.com]. The tab scrolling "feature" was also a point of great annoyance that took up more of my time to find a fix [lifehacker.com].
In short I'm just not jumping for joy over FF. This new flaw happens to come to light the day after I search Google for a way to manually add userids and passwords to the FF DB (any ideas?). This was to address the problem of FF not picking up some text fields as userid and password fields. One solution I found was RoboForm [roboform.com], though I'm not sure I want to pay for what I think should be a fairly easy thing to do inside FF. FF is getting better but personally I'd rather be using Mozilla 1.7.x.
Why I'm not using FF 2.0 (Score:2)
Re:Why I'm not using FF 2.0 (Score:4, Insightful)
Editing about:config is nearly as fast, but finding out that there is a value to edit, what it's called and what to set it to is a damn sight slower...
I Love FF BUT its not in the spirit of OS (Score:2)
Sounds more like a bug in myspace (Score:2, Insightful)
Allowing full html coding, including embedding java or javascript, is an invitation for the unscrupulous. That's one of the 500 reasons I can think of to never visit a website like myspace.
That said, much like language, the
Re: (Score:2)
I don't think your logic makes sense. Any scammer out there can get a nearly free hosting plan and upload whatever content they want. Using your logic, you'd never visit any web site created by anyone. You'd certainly never click a link on Google because you have no way of knowing what is on the other end (and you'd
Re: (Score:3, Informative)
Yes, but that's not a problem because they aren't on a domain where you have a saved password. The problem here is that random people can upload content to, say, myspace.com, and if you have a password for myspace.com, your browser will automatically fill their form in. When an attacker uploads something to attacker.example.com, you aren't going to care because you don't have a saved password for attacker.
Re: (Score:2)
I agree that the bug is first and foremost due to myspace, but the Firefox Password Manager certainly doesn't help. It should be clever enough to not fill out that particular form, as it does not direct to the myspace domain. Hopefully this will be fixed as soon as possible; seems to me that it shouldn't be such a huge fix.
But back to myspace. This fake form is extremely insidious, and looks exactly like the real thing. Only a viewing of the source HTML will reveal that there's something fishy. Allowing us
That is Scary (Score:2, Informative)
no need to save passwords --generate em on the fly (Score:5, Interesting)
Re:no need to save passwords --generate em on the (Score:3, Interesting)
echo "user:domain:iteration:masterpass" | binary hash | base64 | take first 16 characters
It's a simple algorithm which you don't need to keep secret. Also, you can write down the made-up user/domain/iteration triplets. All you need to keep secure is the master password. Thanks to the iteration, you can lose a generated password without affecting the secrecy of your master password or all the
Re: (Score:3, Informative)
Obligatory disclaimer! (Score:2, Funny)
Thought until now of multiple personality but mystery solved! It was just my browser!...
PS: I shall not be held accountable for ANY of my comments...
If it affects Firefox and Internet Explorer... (Score:2, Interesting)
WARNING (Score:4, Informative)
Credit card numbers are stored too. (Score:2, Informative)
They refuse to fix it, they say it's not a bug.
I don't think it's vulnerable to this because it's not fully automatic, however, all someone has to do to get your credit card number is type the first digit and it'll fill in the rest.
Their advice, "Don't use autocomplete".
Alternatives to browser stored passwords (Score:4, Informative)
Thank God! (Score:3, Funny)
Phew!
Password safety (Score:3, Informative)
I could care less if someone hacks my Slashdot account or my wikipedia account. The worst thing they can do is vandalize under my name. And as for hotmail, they can have my spam. And were I to have a myspace account, I could care less if someone got that too.
Fortunately, my bank and credit card companies don't allow others to create their own pages, so I'm not too concerned. I suspect this will get fixed long before it becomes a concern for me.
Hey (Score:2)
Eventually I'd thrown enough random ideas at the problem that I ended up finding out about this nightmare waiting to happen [mozilla.org]. Just for kicks I tried putting some code in the CSS to alert() all the (supposedly hidden) password values on the page. It worked.
My problem has never been in this area. (Score:2)
myspace... (Score:3, Informative)
I doubt you will find many places other than myspace where this "bug" will be exploited. Why? Because most sites that host user generated content are responsible enough to remove the users ability to post potentially-malicious markup language on the site. These sites strip almost all (if not all) markup and only allow a small handful of decoration tags like BOLD. (Slashdot is a perfect example of allowed html markup)
The problem is that the code on myspace is shoddy at best, and the fact that users can put any kind of html on their myspace page was an accidental result of such. Then when users figured out they could customize their page with css and other markup code they were happy, and so myspace left it in.
Nowadays everyone is so used to myspace letting them customize their page (in a shitty hack sort of way) that if they were to take that aspect away I think myspace would die in a month (I know a lot of girls who only go on myspace so that they can upgrade their page and make it look better by customizing it) so they are not likely to ditch this "feature" of their site.
Re: (Score:3, Informative)
Re: (Score:2, Interesting)
Have you personally tested this and found either browser to be vulnerable?
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2)
Firefox may be free. However, its developers are just as accountable for their mistakes as Microsoft should be for its own. Firefox gained the market share that it has because of a reputation for security. When the dev staff screw up so badly, it does a lot to erode
Re: (Score:2)
Memory seems better in FF2 to me
And this bug is present in all versions of FF and IE...
Re: (Score:2)
Re: (Score:2)
For most home users, a paper with passwords written on it is safer in the long run. Preferably the paper is not in plain sight or stuck to the monitor.