Potential Firefox password manager vulnerability

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Potential Firefox password manager vulnerability

Post by RobertGonzalez »

A colleague of mine just sent me this article. This is surprising and frightening at the same time.

http://www.info-svc.com/news/11-21-2006/

Apparently crafty phishers have found a way to tap into the 'Remember my Password for this' feature of Firefox (and from what I was reading, IE6 and IE7 as well) and auto-populate the password field of forms that post to a different domain. This requires some work on the hackers parts, but it works with scary efficiency.

PS This is the Firefox Bugzilla entry for this know bug.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

See, this is why I don't use the password remembrance feature.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Yeah, but you'd still need to visit the myspace profile and submit your information.

EDIT:
Actually in the case of using firefox, you need to fill in the username before the password would auto-fill. You'd need myspace, for example, to auto-fill the username thus auto-filling the password. As well, you need to click submit and, before anything, visit the myspace profile.

EDIT 2: And from this example: https://bugzilla.mozilla.org/attachment.cgi?id=245426 I get a warning from firefox explaining how this informations is to be send to an third-partied server. Atleast this is because I have the most recent version of firefox.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

There are 2 issues here. First the fact that FF (and IE apparently) fills in a password without checking the action of the form (going to another domain). That should be solved. In my opinion without a popup asking "Are you sure you want to ... ", as that doesn't work anyway and is irritating only.

But the other thing is that allowing users to use HTML and create forms on their pages is silly. Another reason why user-generated HTML is a bad idea.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Web designers (and hackers) have to start somewhere :-p

But, I mean, FF and IE do give warnings about the feature and it's possible security glitches (at least FF did), so saving your password onto your computer is definitely a risk.
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

Whispers... Opera...

Leaves the room quietly...

8)
Post Reply