Firefox Password Stealer

We’ve shown you how easy it can be to retrieve passwords stored in your browser, provided that someone has access to your computer. Well, that’s not the only way for a hacker to gain access to some of the information stored in the Firefox Password Manager. A new flaw that was just revealed late last week can retrieve some of your passwords using a very small amount of JavaScript.

How does it work? Here’s a quick example of what could happen:

  1. User visits a site such as their own blog hosted on a popular network (something like Blogger).
  2. They login, and have Firefox remember their username/password.
  3. They visit someone else’s blog on the same domain, and a username/password form appears on the site. As expected Firefox autofills the information for the user (both the username and password) so that they can just hit enter to login.
  4. The site is able to use some JavaScript to store the username and password without the user even hitting the Submit button. This is done by having the JavaScript go and retrieve the values located in the text box (document.<form>.<field>.value).

This flaw can only be used to expose the username and password that is entered into a form, and Firefox automatically does this for people who have stored a password. That means your information could be surrendered without you even realizing it.

If you want to try this out yourself, Heise has setup a demo site where you makeup a username/password, and then have Firefox store it. Then when you go to the “evil” page, Firefox will automatically fill out the form and a popup will reveal the username and password you stored.

To get around this happening, it is recommended that you either don’t store passwords in Firefox or you disable JavaScript. Of course, this is really only an issue on a “network” of sites that all have the same domain. The reason for that is because Firefox will not, for example, fill in your bank’s username and password here on CyberNet. So just be aware of what passwords you have stored, and you can always have Firefox prompt you for a master password before it autofills any information.

An alternative that xpgeek pointed out in the forum is to install the Secure Login extension to prevent Firefox from automatically filling in password forms.

Note: This vulnerability also affects the Safari browser.

— What’s the Most Secure Browser? —

I decided to lookup on Secunia, who tracks vulnerabilities for more than 14,000 applications, to see which browser is currently the most secure. Here’s what I came up with:

  • Opera 9.x has had 8 advisories, all of which have been patched. [source]
  • Firefox 2.0.x has had 13 advisories, and there are 6 that have not been patched. [source]
  • Internet Explorer 7.x has had 14 advisories, and there are 8 that have not been patched. [source]

You can take that information for what it’s worth, but it goes to show that most browsers constantly have security-related flaws.

Source: Heise Security [via Slashdot]