×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Password Vulnerability In Firefox 2.0.0.5

CmdrTaco posted more than 6 years ago | from the waiting-for-the-patch-boys dept.

Mozilla 176

Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

176 comments

Is this OS independent? (4, Interesting)

sexybomber (740588) | more than 6 years ago | (#19956533)

I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?

Re:Is this OS independent? (5, Informative)

Compholio (770966) | more than 6 years ago | (#19956581)

I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?
I can confirm that it works on Linux.

Re:Is this OS independent? (2, Funny)

jsse (254124) | more than 6 years ago | (#19957725)

I can confirm that it works on AmegaOS, Atrai, Sinclair ZX81 and PDP too.

Well...actually I can't. If you excuse me, I'll go back to my corner where I can dialog with my shadow.

Re:Is this OS independent? (5, Informative)

Mr. Sketch (111112) | more than 6 years ago | (#19956737)

From what I read, yes. It only exposes passwords for the site you're visiting. The most common case of this is on myspace, where visiting a malicious website will transfer your myspace username/password to the website owner. This vulnerability exists on sites that allow users to post custom html and javascript and will expose your username and password for that site.

This does not expose all your passwords, so if you have you bank password stored, it's safe, unless your bank has pages that allow users to post custom html and javascript.

Re:Is this OS independent? (3, Insightful)

slagell (959298) | more than 6 years ago | (#19957101)

Or unless you use the same password for myspace and a bunch of other places

Re:Is this OS independent? (4, Funny)

PPH (736903) | more than 6 years ago | (#19957177)

Memo to self: Take my /. password, 'ImADork' off my bank account.

Re:Is this OS independent? (1)

snowgirl (978879) | more than 6 years ago | (#19957791)

You know... this is one reason why I don't store ANY of my passwords for webpages anywhere but my head.

Granted my IMs all store my password, because I want them to log in automatically, but I just simply do not trust a webbrowser to keep any of my passwords.

Re:Is this OS independent? (0)

0olong (876791) | more than 6 years ago | (#19958075)

Actually you're safe if you use a master password with your password manager. This solution has the benefit that you can use any amount of unique strong passwords for different sites while you only need to remember one.

Re:Is this OS independent? (4, Informative)

snowgirl (978879) | more than 6 years ago | (#19958237)

Actually you're safe if you use a master password with your password manager.


Well this story kind of points out why obviously, this statement isn't necessarily true.

Re:Is this OS independent? (2, Informative)

Simon Donkers (950228) | more than 6 years ago | (#19957343)

I have enabled the master password and the proof of concept fails. It launches a window asking me for my master password before filling in any passwords.

Note that the master password on it's own still is not secure because you only need to type it in once until you restart your browser but combined with the add-on Master Password Timeout you are relatively safe. Just don't browse dodgy websites minutes after logging in.

Dupe? (5, Informative)

InvisblePinkUnicorn (1126837) | more than 6 years ago | (#19956549)

Dupe? Of course! (3, Informative)

IBBoard (1128019) | more than 6 years ago | (#19956821)

Yeah, it's the same issue. On the plus side, they don't link to the same article (unless you count the fact that this one links to an article that links to the article from the old one)

Re:Dupe? (1)

denttford (579202) | more than 6 years ago | (#19957889)

Yeah, the title seems to indicate that there is a vulnerability with specific to the new FF release, but no. Same story.

Same solution (for FF) - which I got from a post in the previous story (thank you): Secure Login [mozilla.org].

Password Remember Function (0, Flamebait)

EveryNickIsTaken (1054794) | more than 6 years ago | (#19956559)

This is one of the reasons why the "remember my passwords" function is only used by idiots.

Re:Password Remember Function (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#19956571)

Also one of the reasons why "javascript" is only used by idiots.

Or Firefox for that matter (3, Funny)

benhocking (724439) | more than 6 years ago | (#19956639)

<satire>All the truly intelligent people use Lynx.</satire>

Re:Password Remember Function (5, Insightful)

SatanicPuppy (611928) | more than 6 years ago | (#19956613)

Eh. Depends on what passwords you set it to remember. There are a ton of BS passwords that I don't give a damn if someone steals.

Like anywhere else, you need to make a trade off between usability and security. Sure, it's not perfectly secure, but it's not worth it to me to have to remember the one off junk password I made up for NYTimes.com.

The real issue, as usual, is javascript. I use "NoScript" and am careful about which sites I allow to execute scripts at all. That will do more for your security than anything else.

Low security passwords (3, Funny)

benhocking (724439) | more than 6 years ago | (#19956673)

Eh. Depends on what passwords you set it to remember. There are a ton of BS passwords that I don't give a damn if someone steals.
Absolutely. My Slashdot password, for example, is one that I allow Firefox to remember. Er, not that I'm claiming Slashdot is BS or anything. ;)

Re:Password Remember Function (1)

mdm-adph (1030332) | more than 6 years ago | (#19956819)

Same for me -- important passwords, like my bank's online account access, I never allow anything to save, not even Firefox.

Re:Password Remember Function (1)

Vexorian (959249) | more than 6 years ago | (#19957297)

I actually think gp is right to one extent.

For the sites I don't care about I use the same generic old password that I have used from 2003, I mean, if they are stolen I just risk a bunch of of dummy email addresses and other crappy services I don't really care too much about. For the things that matter I keep though and strong passwords that I better remember and not "write them down" or let a browser keep them... Often things that matter are just 3 so memory is not an obstacle...

Re:Password Remember Function (1, Funny)

Anonymous Coward | more than 6 years ago | (#19956915)

Ah yes, the old "you are an idiot if you don't do things the way I do them" argument. Are we grumpy because we are out of Clearasil today? Or did mommy start asking for basement rent?

Re:Password Remember Function (1)

bahwi (43111) | more than 6 years ago | (#19956941)

Meh, if someone has access to my computer physically anyways they can get all my passwords by installing a keylogger anyways. The vulnerability only affects the sites that let people post custom html/javascript. Those sites are just social sites like myspace and other stuff and who cares if someone gets your password for that.

Re:Password Remember Function (0)

tygerstripes (832644) | more than 6 years ago | (#19957017)

Regardless of people's feelings on having their social-site password stolen, if this vulnerability allows someone on a social networking site to find your other passwords... oh, why am I bothering.

Re:Password Remember Function (4, Insightful)

eck011219 (851729) | more than 6 years ago | (#19957183)

There are a couple issues here. First of all ...

Those sites are just social sites like myspace and other stuff and who cares if someone gets your password for that.

You'd probably begin to care after someone "hacks" your MySpace page and posts distasteful or illegal language or images. Explaining all of that to a police officer or a judge and jury is rife with peril.

But the other point I think is pertinent here is that Firefox is really going for the common man crowd -- you don't buy a full-page ad in the New York Times if you want only geeks. So knowing that the average joe will be using Firefox and will happily save sensitive information if encouraged to do so (as one is with Firefox), that particular feature really has to be pretty rock-solid (or at the very least, not vulnerable to a pretty basic and classic javascript exploit).

Don't get me wrong -- I love Firefox and use it almost exclusively. But this is the kind of thing that, whether truly a hazard to most users or not, can scare people away if it is carelessly presented to the public. Or if it really is a risk.

Re:Password Remember Function (4, Insightful)

DigitAl56K (805623) | more than 6 years ago | (#19957031)

Who modded the parent post "Insightful", and why? It is a one line blanket statement cast against millions of people without discussion or foundation. I hope someone takes away your mod points.

If you use many websites that require you to log in you don't have many options. You could use one password for all of them, in which case a breach on one account by an attacker essentially breaches all other accounts that they discover, or you can use unique passwords on each site, in which case it soon becomes impossible to remember them all accurately - especially for sites that you don't use very often. Additionally, some sites have rules around the number of upper case characters, special characters, digits, etc. in passwords, and these can be particularly difficult to remember.

Certainly people are foolish if they store logins for bank accounts and the like in the password manager, but most people only have one or two really important logins.

People who use the remember passwords functions are not idiots. People who expect the "remember passwords" functionality to be secure are not idiots either - if an application used by millions includes such functionality one would expect the developers to have secured it.

Re:Password Remember Function (0, Troll)

EveryNickIsTaken (1054794) | more than 6 years ago | (#19957189)

So, just because millions of people use it, expecting it to be secure, then it is suddenly a good idea to do so? Please... Millions of people use their real CC or debit card numbers when purchasing online (instead of one-off "disposable" numbers) - despite the inherent security threats... Does that suddenly become a good idea because millions of people use it, expecting it to be secure?

Re:Password Remember Function (2, Insightful)

Anonymous Coward | more than 6 years ago | (#19957267)

Why do idiots still spread the FUD that it is bad or a "security threat" to use their credit card online? You are perfectly safe. If someone does steal and use your number you are only responsible for the first $50, and every bank I've ever dealt with if waive that. Idiots like you are the reason it took me so long to convince my mom not use use PERSONAL CHECKS an eBay. Because of the FUD about credit cards, I had a hard time explaining to her that they were MUCH safer than checks! You are MORE vulnerable using your credit card in a "real" store than online.

Do not save passwords (1, Insightful)

Normal Dan (1053064) | more than 6 years ago | (#19956591)

I never liked firefox's save password ability. It stores the password in plane text (at least it used to) for anyone with physical access to see if they know where to look (and it's not hard to figure out where to look). I have stolen many a passwords this way. It is worse than writing your password down and putting it in your desk.

Re:Do not save passwords (5, Insightful)

Mascot (120795) | more than 6 years ago | (#19956743)

That's what the "Master Password" option is for.

Use a master password

        Firefox can protect sensitive information such as saved passwords
        and certificates by encrypting them using a master password. If you create a
        master password, each time you start Firefox, it will ask you to enter
        the password the first time it needs to access a certificate or stored
        password.

Re:Do not save passwords (4, Informative)

strobert (79836) | more than 6 years ago | (#19957219)

In addition if you run with Noscript and Secure Login it really helps protect you. The former can let you disable javascript (and java/flash too) by default and only enable for sites you trust. The later makes it so that for remembered passwords firefox does not fill in the form. Instead it highlights the fields it would fill in and you have to hit the secure login button to post the form data. Makes it so that you know when you saved passwords are being used and bypasses the input flow so that keyloggers can't even record the data.

I would also recommend installing "Master Password Timeout" which will re-prompt you periodically for the password.

Re:Do not save passwords (3, Informative)

dvice_null (981029) | more than 6 years ago | (#19956771)

Passwords are not in plain text, but readable with Firefox.

You can set master password to truely encrypt them. But if you let people to access your harddrive, you can install keyloggers to steal the master password also. Or any password, no matter do you save it or not.

Re:Do not save passwords (0)

Anonymous Coward | more than 6 years ago | (#19956801)

or turn off JavaScript, and be also immune to the hundred other JavaScript-based attacks that have been found, and the hundred that will be found in the next 10 years.

Re:Do not save passwords (2, Funny)

Anonymous Coward | more than 6 years ago | (#19956861)

It stores the password in plane text (at least it used to) for anyone with physical access to see if they know where to look (and it's not hard to figure out where to look). I have stolen many a passwords this way. It is worse than writing your password down and putting it in your desk.

Even worse, because it uses plane text, you are helping the terrorists, who can now hijack your passwords and fly them into skyscrapers!

FUD (4, Informative)

jrumney (197329) | more than 6 years ago | (#19956937)

Firefox's password file has never been in plain text, although if you don't specify a master password, the decryption key is stored in the same directory, so the encryption will only stop casual opportunists.

I know your password! (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#19956943)

i11it3r4t3
It stores the password in plane text
You can't spell a five letter word?
Eye no, eye muss bee knew hear.

Re:Do not save passwords (1)

piojo (995934) | more than 6 years ago | (#19957115)

I never liked firefox's save password ability. It stores the password in plane text (at least it used to) for anyone with physical access to see if they know where to look (and it's not hard to figure out where to look).

I don't know whether they are in plaintext, but it matters very little. I found someone's firefox profile directory on my school's network, and looked for passwords because I was bored. I couldn't see anything, so I just copied the profile to my computer, and fired up firefox using that profile. It happily showed me all the passwords at my request. I think the same procedure would work for opera, or any browser that stores passwords. Obfuscated passwords probably only protect you from your younger siblings. (The older ones found your porn collection years ago.)

Now, there is one way I can think of that would make the obfuscation better. The browser could encrypt the passwords using the URL that they go to as the encryption key. (Obviously, the browser could not store this information with the password.) When a user browsed to www.example.com, the browser couldn't ask, "Do we have a saved password for www.example.com?" but it would instead say, "Here are all my passwords... when decrypted with the key, 'example.com', do they yield plaintext that looks like it could be a password?"

This approach is not really secure (because crackers would just take password lists and try decryption keys like "paypal.com" and "ebay.com" to get common/important passwords), but it has the advantage that it is impossible to start with no knowledge and end up with a list of site,username,password sets.

Re:Do not save passwords (0)

Anonymous Coward | more than 6 years ago | (#19957419)

yeah and the plane text is always flying away LOL!

Re:Do not save passwords (0)

Anonymous Coward | more than 6 years ago | (#19957739)

Why steal passwords???.....what U need em for? huh?

Re:Do not save passwords (4, Funny)

eln (21727) | more than 6 years ago | (#19957825)

Pretty much all text is plane text. Unless it's 3 dimensional I guess.

Is it just me? (-1, Troll)

Anonymous Coward | more than 6 years ago | (#19956597)

Or does it seem like open source software sucks just as much as closed source software?
Actually, OSS definitely sucks more. Most of the time it's slower and has a dead ugly GUI.
I guess I am brainwashed by the evil corporations because when I use OSS, I don't feel any "more free".
I WANT TO BREAK FREEEEE~~~~~~

Please tell me more about this freedom thing Slashdot loves to talk about.
Thanks!!!

Open Sores Get Whats Coming To Them (0)

Anonymous Coward | more than 6 years ago | (#19956605)

Thats what you get for your 'security through open sores' lectures we have had to endure over the years.

I'm going log in to your email and send your mother all the gay porn I can find.

That horny slut will love having all that cock on her screen.

No Problem (1)

Mostly a lurker (634878) | more than 6 years ago | (#19956641)

"... If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."
Will not effect me: I have a notoriously bad memory for passwords.

Re:No Problem (0)

Anonymous Coward | more than 6 years ago | (#19957621)

It's good that you don't let your passwords define you, but the real question is whether or not this will affect you.

NoScript (5, Informative)

grub (11606) | more than 6 years ago | (#19956733)

NoScript [noscript.net]
Repeat ad nauseum.

Re:NoScript (1)

Aladrin (926209) | more than 6 years ago | (#19956919)

No joke, right? I forget the exact vulnerability that recently made me install NoScript, but there's been enough cross-site scripting, ajax, and stored-password exploits recently to make anyone paranoid.

Re:NoScript (1)

grub (11606) | more than 6 years ago | (#19957051)


Funny thing. The first and only cross-site warning I've had with NoScript was on our corporate webmail site.

Re:NoScript (1)

that IT girl (864406) | more than 6 years ago | (#19956951)

I guess it could be exploited even through the sites you allow, though.
Just another reason not to save your passwords. It's as easy to get to that as it is if I saved all my passwords in a document on my desktop, labeled "Passwords". Pfft.

Re:NoScript (1)

LuSiDe (755770) | more than 6 years ago | (#19957281)

I guess it could be exploited even through the sites you allow, though.
True, but you only add sites you trust which severely lowers the chances.

One can certainly save their passwords. Just don't save them directly in an monolithic application which is highly interactive with the Internet such as a web browser. Use something like a virtual wallet such as KDE's Kwallet (GNOME has a similar feature). This way you assign complex passwords (8 random characters, alpha-numeric, CaSe SeNsiTiVe) e.g. made with the command apg which you all save in your Kwallet (or applications such as LUKS, GELI, GPG, or TrueCrypt can be used for this purpose). Your Kwallet you put a master password on, and this is the only password you have to remember. Various applications can directly access Kwallet (KDE applications such as Konqueror) however should your application not support this you can manually open your Kwallet.

Should you use LUKS, GELI, GPG, or TrueCrypt be sure to close the mount point after you accessed the data. Eventually, one could put this on their PDA using that to store the data instead of directly on a machine connected to the Internet. Although I don't have a PDA, I do like this setup. You securely save your passwords and have them with you whole time, but it does cost time and energy to retrieve the password. Hence, you do have a backup, while your data cannot be read from the desktop(s) themselves, whereas you circumvent becoming too lazy to remember your passwords because accessing the data on PDA costs a minute or so.

Re:NoScript [MOD PARENT UP!] (0)

Anonymous Coward | more than 6 years ago | (#19957125)

Alleluja!

Actually this is piece of news is a dupe of a dupe of a dupe...

If you go online without noscript, you're braindead...

Re:NoScript (0)

Anonymous Coward | more than 6 years ago | (#19957163)

ad nauseAM

Easy to remember: it is just like when you puke darling.

Re:NoScript (5, Insightful)

Bacon Bits (926911) | more than 6 years ago | (#19957767)

NoScript is a horrible fix for this, because NoScript and the password manager use the same method to determine what is safe: the domain name of the server.

If I go to, say, Blogspot.com with FF and I'm a member, I probably log in and save my password with FF. If I have NoScript and I visit the page frequently and post lots of comments, I also probably have blogspot.com on the trusted site list. If I go to a malicious blog (well, alright, a blog that exploits this vulnerability -- they're all malicious) then a) I'll be on a site that the password manager trusts and I'll be on a site that NoScript trusts.

Not required. (0)

Anonymous Coward | more than 6 years ago | (#19958305)

Not required. FireFox, like most Open SOurce software has no security flaws. NEXT!

Passwords in general (5, Insightful)

the.nourse.god (972290) | more than 6 years ago | (#19956761)

<sarcasm>And this is why I save all of my passwords in IE</sarcasm>

This is why we need something better that text passwords for authentication on the web. Most people can't remember all the passwords they use on every site they go to. To cope with this, Average Users do either one of two things - use the password remembering method in their browser of choice or use the same (weak) password for everything. Granted, there are some decent password management utilities out there, but your Average User would rather use a tool they already have.

Re:Passwords in general (0)

Anonymous Coward | more than 6 years ago | (#19957505)

The best password manager is a pencil and a piece of paper. At work or if there are others besides you at home, the third tool in the password manager set is a locked drawer.

Not as bad as you think. (1, Insightful)

Anonymous Coward | more than 6 years ago | (#19956829)

It's not possible for websites to steal saved passwords from other websites; it's only possible to steal a password if Firefox auto-fills a password field, and obviously this only occurs if you're on website you saved the password for in the first place.

Reading my list of saved passwords; my company intranet sites aren't vulnerable, my bank website isn't vulnerable, my shopping sites aren't vulnerable. All that is vulnerable are forum websites, and that's only if someone finds a way to inject Javascript, which is normally stripped out by all of them.

I don't think it's possible to avoid this without serious hijinks to the DOM; it has always been possible to inspect the current contents of form inputs, including password inputs.

Again? (2, Insightful)

HouseArrest420 (1105077) | more than 6 years ago | (#19956905)

How is this news again? If you have enough knowledge to post a slashdot article, its certainly not your first time here, and one would hope you saw the SAME issue from 3-6 days ago.

Meh (0)

Anonymous Coward | more than 6 years ago | (#19956911)

As the announcement says:

"evil" server pages can steal passwords from browsers whether the user has opted for password management by Firefox or not.
It's the website's responsibility not to allow evil JavaScript on its domain. If they do - well, then all bets are off anyway...

Stealing passwords? Hardly... (4, Funny)

goldspider (445116) | more than 6 years ago | (#19956955)

This isn't theft, it's liberation! Information (including passwords) wants to be free!

Re:Stealing passwords? Hardly... (1)

AndersOSU (873247) | more than 6 years ago | (#19957463)

Not only that, but when they use the free passwords, it's not identity theft, it's identity infringement.

NoScript (1)

Junior J. Junior III (192702) | more than 6 years ago | (#19956981)

On the subject of Jasascript-enabled security holes, I use Javascript because so many sites depend on it, but block all scripts using NoScript until I decide to trust the domain of origin of the script. What I'd really like is a NoScript that will let me look at the script's source code before I decide to trust it, and allow/deny scripts on a per-script rather than per-domain basis.

That said, is there a good Add-on for Firefox that handles password-management more securely? Something that keeps them stored in an encrypted format would be a step in the right direction.

Firefox only? (2, Informative)

IBBoard (1128019) | more than 6 years ago | (#19957009)

Is Firefox really that insecure for this compared to the others? Yes, it auto-fills it but then any site that lets other people add Javascript to a page is vulnerable in an almost identical way. The main part of the script (on a timer to allow for auto-population) is:

function doit()
{
  name = document.passtest.name.value;
  password = document.passtest.password.value;
  alert("Your username is: " + name + " and the password is: " + password);
}
All you need is to know the form on the page, subscribe to the submit event and snag the password contents for yourself and you've busted any browser wide open (as long as it lets you enter usernames and passwords) without the need to exploit password saving. You could even potentially listen for Ctrl+Enter key combos in Opera, although catching the use of the wand might be more difficult.

Re:Firefox only? (1)

IBBoard (1128019) | more than 6 years ago | (#19957165)

Just before someone starts "Firefox Fanboi!"ing at me, I do know there's a way where only Firefox's password remembering could be exploited. That situation is when you do what the demo does, but hide the forms through CSS, so the user won't see them but Firefox still auto-populates.

Still, I think the fact that a website lets you include Javascript (which could then let you steal any password entered on the page, remembered or not) is a *much* bigger vulnerability. There are just so many ways you could exploit and abuse that!

An extension to help you... (2, Informative)

Aleksej (1110877) | more than 6 years ago | (#19957119)

Secure Login [mozilla.org]

Re:An extension to help you... (1)

Aleksej (1110877) | more than 6 years ago | (#19957299)

That's what you get for writing one short and one long message in one comment, and then splitting them in two: someone else has posted the short one in the meantime.

Re:An extension to help you... (1)

e_AltF4 (247712) | more than 6 years ago | (#19957657)

Using it for some time and it seems to stop the vulnerability.

Recommended if you are lazy (as i am) and allow FF to manage your passwords.

Not so critical (1)

Klaidas (981300) | more than 6 years ago | (#19957171)

Sure, it's a big issue, yet how many peope actually use the "remember my password" feature? I just usually check the "remember me" box near the login and password entering fields, or enter my passwords manually.

Is it Firefox specific? (3, Informative)

140Mandak262Jamuna (970587) | more than 6 years ago | (#19957197)

From what I understand, the user visits a site and the browser dishes out the remembered username password to that site. Whenever that site requests the username and password, the browser would do so. If the site allows anyvisitor to post javascript code and it incorporates such posted code as part of its own page, then the user too can use javascript to request the username/password and use javascript to phone home.

Now why any of it is Firefox specific? Any browser/ browser-helper-object /password help toolbar would do the same. If you have only one user name for a site, firefox will pre-fill the field. And the javascript can read it without a get or post. I would guess this behaviour of prefilling when the username is unique is probably a Firefox thing.

Generally sites that allow users to post javascript code would be dangerous and should not be visited. But I would not know a priori these sites.

I love FireFox BUT... (1)

thanksforthecrabs (1037698) | more than 6 years ago | (#19957205)

I use FireFox for 95% of my browsing (mainly because of no ActiveX and AdBlock Plus, but I've always wondered if being open source means that code monkeys can write script to steal password just by simply knowing how the browser works...not by taking advantage of a published security hole...

Re:I love FireFox BUT... (2, Insightful)

Vexorian (959249) | more than 6 years ago | (#19957349)

It also means that bugs get fixed faster and that if mozilla stops supporting a platform someone else can, and that we can have things like swiftfox available, so I think it is a good trade.

But security through obscurity doesn't really work too well anyways...

Re:I love FireFox BUT... (2, Insightful)

IBBoard (1128019) | more than 6 years ago | (#19957459)

Possibly, but how many bugs have been exploited in Firefox because of being able to view the source code and how many would have been picked up by a closed-source 'fuzzing' anyway?

This one was a "how the browser works" based on visible behaviour, so it would have been found in a closed-source app as well.

Site's fault. (1)

Aleksej (1110877) | more than 6 years ago | (#19957209)

Please, isn't it the site's vulnerability and not Firefox'es, eh?!!
If a site owner tells me it's my browser's fault that their users can change their site's behaviour, and s/he are not going to do anything about it, I'll leave the damn site.

Re:Site's fault. (1)

Random BedHead Ed (602081) | more than 6 years ago | (#19957813)

I'm not entirely sure it is the site's responsibility. Or rather, who you choose to blame depends a great deal on how much you value your passwords. This warning inherent in this vulnerability isn't really intended for webmasters, but rather for browser users. And even if as a browser user you think you're safe, keep in mind that sites get hacked. Even if you trust a site, anyone who hacks it can start harvesting login credentials. Scary.

Re:Site's fault. (1)

Aleksej (1110877) | more than 6 years ago | (#19957947)

Agreed. Though, if the site gets hacked with that intent, nothing really matters as long as the user decides to enter the password...

Re:Site's fault. (1)

Aleksej (1110877) | more than 6 years ago | (#19958083)

I mean, nothing but NoScript matters, if the password is going to be transferred using JS. And then the problem is not unlike the one with remote images blocking: you'd like to allow it by the source, not only by the target. Well, at least I would.

You can always do this kind of stuff with cookies. (1)

scienceguy55 (904879) | more than 6 years ago | (#19957223)

In most cases a vulnerability like this will not significantly increase your risk of exploitation as most web sites store passwords in cookies anyway, which are supposed to be readable by javascript from the originating site. If I can run a script on a myspace profile that you visit I can get your password from the cookie that myspcace stores on your machine.

Re:You can always do this kind of stuff with cooki (1)

adnonsense (826530) | more than 6 years ago | (#19957681)

Err, I don't know about myspace, but any half-decently programmed website (hopefully the majority) won't be storing anything in your cookies other than trivial configurations preferences and a session key. Certainly not your password. While it's possible to hijack the session by reading the session key (and there are ways of preventing that on the server side too), that won't get you the user's password. Unless the site in question is incredibly badly programmed, in which cae you're probably lost anyway.

Trust (1)

BlueParrot (965239) | more than 6 years ago | (#19957901)

a) If it is your machine you could just as well use a PGP encrypoted text file. If the website in question is still vulnerable, then it is a problem with the website, and changing browser won't help you.

b) If it is not your machine, or if you think your machine is compromised, then you really shouldn't be typing your passwords in it to begin with.

Seriously, find a strong passphrase and store the damn password list as a PGP encyrpted file on a USB pen drive. Only decrypt it on machines you trust. If you still lose your password then you either typed it into a compromised machine ( meaning you're fucked anyway ), you were victim to a man in the middle attack ( meaning you're fucked anyway ) or there was a vulnerability on the server side ( meaning you're fucked anyway ).

Personally I don't trust a whole lot of websites to secure their own systems so I don't use my root or e-mail password for my facebook account...

Password = Password (1)

BrentRJones (68067) | more than 6 years ago | (#19958155)

keeps it much easier for all my sites, except my bank for which I use Pa$$word. I trust you guys here not to spread this around.

the great law of computer security (1)

wikinerd (809585) | more than 6 years ago | (#19958207)

The Great Law of Computer Security: Networked computers are insecure by nature. Everything that is stored within a networked computer can and will be compromised. Corollary: Always use a non-networked computer to store critical data, or better yet, no computer at all; a piece of paper inside your wallet is probably safer at most situations. Shortened version: Distrust all computers.

Not the only issue (1)

the_womble (580291) | more than 6 years ago | (#19958279)

I have found all versions of FF from 1.0 to 2.0.0.4 tend to sometimes store a password unasked, and then automatically fill in the password (but not the username) on my next visit to the site.

I have never heard of anyone else having this problem, and I cannot reliably reproduce it, but it does happen occasionally.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...