An exploit has been found with the current version of Firefox password manager, using only javascript to retrieve stored passwords from your browser. The trick is simple but has its limitations on the part of the hacker.
This is how it goes. A lot of people just let firefox store all of their passwords since they are sure they’re the only ones who has access to their computers. So among the passwords stored are of course login to their blogger account on blogspot.com.
Okay so say you were tricked into opening another blog on blogspot.com and this blogger is up to no good. Mr Evil here knows HTML and javascript, so he posted a fake login form to login into blogspot (easily done, just copy from the actual login form).
When you open this page with the fake login fields, firefox will automatically place your username and password on the fields, thinking it is providing you an easy login since it is still on the same domain. The evil script now just have to fetch the values in the field and store it on their site. E-Z.
Heise Security has provided a demo page here, enter a FAKE username/password and then go to the next page, where it will display what you typed on the previous page before.
Of course, for this exploit to work, the following rules apply :
- Javascript is enabled (99% of us do)
- You let FF Password Manager keep your passwords
- The evil page can only retrieve username/passwords from the same domain as the page itself and allows javascript.
So the exploit is not that “open” but still, the thought of your passwords easily fetched by another page is real. How to protect yourself? Easy. You have several options.
- Disable javascript
- Don’t use FF’s built-in password manager, use a standalone password manager. I recommend the freeware KeePass Password Safe.
- If you still want to use FF’s built-in password manager, install this firefox add-on, Secure Login. It will disable the automatic placement of your username/password on any form. You control when those sensitive information is placed on any form fields.
- Another add-on to make your favourite browser secure is NoScript. The winner of the “2006 PC World World Class Award”, it only allows JavaScript, Java and other executable content to run only from trusted domains of your choice.
There - no more excuses in not making your browser and internet experience more secure.
4 Responses
clement
July 25th, 2007 at 11:28 am
Comment #1
whats the worst that can happen?
melvin,foong
July 25th, 2007 at 12:54 pm
Comment #2
Why bother about Firefox and the “plugins” when Opera can just manage these equally well without any?
papajoneh
July 26th, 2007 at 5:51 pm
Comment #3
I love my noscript. FF still the best :D
Thanks for posting this… especially to those not aware of it.
Davelynne
July 26th, 2007 at 11:29 pm
Comment #4
Ekkk… Yang malas menaip saja mau enable password manager… :p
RSS feed for comments on this post · TrackBack URI
Leave a reply
Categories
Recent Posts
Recent Comments
Meta
Tags
mrBadak.com is proudly powered by WordPress - BloggingPro theme by: Design Disease