This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: News

Password vulnerability in Firefox 2.0.0.5

By Joe Barr on July 23, 2007 (2:45:00 PM)

Share    Print    Comments   

According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw.

The Mozilla team fixed a similar flaw last November, one which did not require JavaScript. The heise Security Web site contains a demo/proof of concept of the vulnerability risk that you can use to determine your vulnerability.

The original flaw was referred to as reverse cross-site scripting and was reportedly widely used on Myspace.com.

Note: A reader has pointed out that MySpace.com does not allow Javascript, as originally reported. The reader is correct, although there do seem to be workarounds which result in Javascript executing on some browsers.

Discussions between heise Security and Mozilla developers describe a debate among Mozilla developers over removing this feature, since "evil" server pages can steal passwords from browsers whether the user has opted for password management by Firefox or not.

Apple's Safari is vulnerable in the same way. Current workarounds include disabling JavaScript in Firefox or avoiding the use of Firefox password management on sites where users are allowed to post JavaScript pages.

Share    Print    Comments   

Comments

on Password vulnerability in Firefox 2.0.0.5

Note: Comments are owned by the poster. We are not responsible for their content.

Password vulnerability in Firefox 2.0.0.5

Posted by: Anonymous [ip: 216.230.105.131] on July 23, 2007 04:04 PM
Let's be fair. For everything that sucks about MySpace, if there is one good thing about it, they do not permit JavaScript. This article is inaccurate.

#

Password vulnerability in Firefox 2.0.0.5

Posted by: Joe Barr on July 23, 2007 05:07 PM
I'll double check that, perhaps I got it wrong. If so, I will correct the article.

#

Password vulnerability in Firefox 2.0.0.5

Posted by: Anonymous [ip: 87.4.194.111] on July 23, 2007 05:10 PM
Well, the easiest way to protect yourself from this problem (that is not new, as far as I remember) is to save more than one password for the form. Firefox will not fill the fields automatically until you select one of the usernames, so the bug doesn't work anymore.

Still, malicious pages can steal your password if they are on the same website as the login form... that is not that common (well... MySpace...)

#

Don't forget E-Bay

Posted by: Anonymous [ip: 168.215.162.226] on July 23, 2007 05:25 PM
E-Bay allows Javascript, which also makes for some fun phishing scams

#

Password vulnerability in Firefox 2.0.0.5

Posted by: Anonymous [ip: 80.99.192.77] on July 23, 2007 05:30 PM
It's a fake alert. The javascript works only in recorded login passwords own domain and path. For opera, same plugin exists for password-decryption. Somebody don't like firefox and safari.

#

FUD

Posted by: Anonymous [ip: 80.99.192.77] on July 23, 2007 05:31 PM
It's a FUD.

#

Password vulnerability in Firefox 2.0.0.5

Posted by: Anonymous [ip: 209.208.41.5] on July 23, 2007 06:42 PM
This issue was brought up a few months ago. An extension was created called "Master Password Timeout" that does just that. I use one master password in FF that, yes, I have to type in on a regular basis but it protects me from this....

#

Password vulnerability in Firefox 2.0.0.5

Posted by: Anonymous [ip: 206.207.225.13] on July 23, 2007 09:00 PM
What about firefox providing an user option (which could not be overridden by the web page code) to completely disable autofill of password into a form?

That is -notify and require user intervention (click) before autofill of password field in form... Is this an option in Firefox?

#

Password vulnerability in Firefox 2.0.0.5

Posted by: Anonymous [ip: 24.207.70.64] on July 23, 2007 09:22 PM
Use sxipper! It encrypts your passwords and integrates with the firefox password manager!

http://sxipper.com/

This is not spam, a human actually typed this.

#

didn't work for me

Posted by: Anonymous [ip: 74.69.28.46] on July 23, 2007 10:23 PM
totally did not work for me. Firefox 2.0.0.5 on Vista

#

Firefox 2.0.0.5 Fixes This Idiots!!!

Posted by: Anonymous [ip: 71.68.234.227] on July 24, 2007 05:45 AM
Wow, God some times I really do hate people who spread lies about software like this. FF 2.0.0.5 fixed this bug. It does not work at all!!!!!!!!!!

Test it yourself next times guys!!

#

Re: Firefox 2.0.0.5 Fixes This Idiots!!!

Posted by: Joe Barr on July 24, 2007 03:55 PM
I am running Firefox 2.0.0.5 and the demo provided by heise Security as linked to in the story, still shows the vulnerability.

#

Password vulnerability in Firefox 2.0.0.5...I'm Safe

Posted by: Anonymous [ip: 131.107.0.74] on July 24, 2007 06:54 AM
I tried Heise website...and I'm safe (Windows XP, FF v2.0.0.5).

#

Megacrap

Posted by: Anonymous [ip: 66.245.193.239] on July 24, 2007 09:17 AM
Is this a problem in linux?

#

Password vulnerability in Firefox 2.0.0.5

Posted by: Anonymous [ip: 193.77.149.124] on July 24, 2007 10:31 AM
It's not FUD and it works on my Fox2.0.0.5

It's true that the page can only retrieve password for it's own site.

The problem is that many sites allow anyone to create their own pages on their site.

So I create a page on myspace and my page can obtain password for myspace,
I put this page on ebay and I can get the password for ebay, and so on.

#

Knives to cut; ropes to hang

Posted by: Anonymous [ip: 74.225.160.107] on July 26, 2007 05:42 AM
>> The problem is that many sites allow anyone to create their own pages on their site.


Could not have said it better myself. The question still remains if Firefox can find a way to give end users the convenience without this particular inconvenience. It can be argued that Firefox should not allow this just like it can be argued that end users should know better and website/portal makers should know better.


Ordinarily, if you go into someone's house and get attacked, you expect that the host failed with security. But what happens when the host disclaims responsibility and opens up land for any and all to come and set up shop?


One way to attack the problem is by specifically finding websites that fit this pattern (open to public and allow strangers to mingle underneath the same domain) and then trying to find specific solutions that work for the particular site. This can be laborious and can be subverted at any time by the website owners by readjusting their code.


A simpler more general solution is to have a blacklist of sites known to be problematic.


Perhaps abolishing integrated password managers is actually an even better solution.


The simplest way to get security has always been by recognizing that the domain name or url path (excluding the parameters passed to the page) separates attackers from the desired website. Once you use custom parameters to divide up a desired web destination from a competing web destination, it becomes almost impossible to find such a fine grained solutions. The most conservative approach would never even recognize the same webpage if visited under slightly different conditions (eg, if session state is maintained).


Because of how difficult it is for the browser to solve the problem (it can't without disabling a lot of functionality), I "blame" the website developers who effectively are delegating away power over items within their site to strangers. It's a business decision on their part. It may lead to millions, followed by lawsuits or to losing millions in lost opportunities. However, browser makers can add band-aids and do things to help their user base. The browser makers would be foolish to blame the website makers if in fact other browsers have some kind of solution in place (including disabling password management accross the board).


Here is my last hack at this: why not force super strong security with pop up flashing buttons whenever a "sudo" kind of action is required? We can build icons that represent various things. Through the icon use (visual feedback) and proper words of caution at the right time in a user friendly way, people will learn to identify dangerous features of sites and in what ways they may be dangerous. If in doubt, they go to the very fine manual button and read up on that icon before enabling that potential security risk. The very fine manual can explain well the risks of password fill-in, cookie use, javascript function X use, etc. In short, all the knives and ropes that can be used for both good and bad can have various icons. Users should be encourages to always surf with icon safety lock on. They can then remove the lock selectively for various pages (or portions of pages) or under various contexts (the FF people will have to design this well for useability). The key is making the security easy to unset and set back, have clear explanations, and not be overly bothersome. For the specific case being discussed in this story, Firefox can further allow for a quick way for the end user to see a picture of what the webpage looked like at the time when they entered the passwords (or other potentially sensitive information). The user can then quickly realize, this is the same site basically and accept or this isn't the same site and reject.


The moral of the story is that some problems do not reveal enough of their context to enable clear-cut solutions that can be invoked without any need for user intervention. This case of auto fill-in is one such scenario. Firefox should then focus on getting the end user to see the problem clearly (and timely) and without being burdened too much, eg, without too many false positives (limiting false positives without resorting to another MS Clippy is a goal). Websites that want to make things difficult for browsers and dangerous for users shall have their rewards.

#

Password vulnerability in Firefox 2.0.0.5

Posted by: Anonymous [ip: 217.155.151.38] on July 24, 2007 10:37 AM
WinXP, Firefox 2.0.0.5 -- and the Heise exploit works. Did you fail to see the pop-up javascript box showing your password?

#

Password vulnerability in Firefox 2.0.0.5

Posted by: Anonymous [ip: 86.106.251.190] on July 24, 2007 07:14 PM
Linux Ubuntu 7.04 and it actually works

#

Current solution for FF 2.x

Posted by: Anonymous [ip: 195.144.200.250] on July 25, 2007 06:37 AM
Just install Secure Login extension (it's disables auto fill of passwords and eliminates the shown threat)
see https://blueimp.net/mozilla/Secure%20Login/

#

Re: Current solution for FF 2.x

Posted by: Anonymous [ip: 74.74.219.54] on July 27, 2007 09:07 PM
Yes. That solves it. w/o the addon, 2.0.0.5 on linux is vulnerable!

#

Password vulnerability in Firefox 2.0.0.5

Posted by: Anonymous [ip: 80.168.247.226] on July 25, 2007 01:17 PM
Now do one which will grab my password from another site, say my YouTube password, which I have in password manager.

-- Bill P. Godfrey http://youtube.com/billpg

#

Password vulnerability in Firefox 2.0.0.5

Posted by: Anonymous [ip: 59.93.2.33] on July 25, 2007 03:07 PM
yes on my linux systems with 2.0.0.5 this worked :x

#

Firefox/Iceweasel 2.0.0.6 fixed vulnies!!!

Posted by: Anonymous [ip: 59.93.14.66] on August 03, 2007 02:34 PM
Yes.Mozilla Foundation released a new version within a week fixing two more vulnerabilities-version=2.0.0.6 -go,install it now/upgrade ;)

#

Password vulnerability in Firefox 2.0.0.12

Posted by: Anonymous [ip: 80.91.178.106] on February 27, 2008 02:18 PM
I'm using 2.0.0.12 on Linux, and it's still vulnerable

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya