Firefox hit with password management vulnerability

The folks at Linux.com warn of a new security vulnerability that is said to affect the latest version of Mozilla’s popular Firefox browser. Quoting a post on the Full-Disclosure mailing list, the site says Firefox 2.0.0.5 suffers from a password management flaw that could allow a malicious website to steal a user’s saved passwords. “If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw,” the site warns.

For those interested, Heise Security has put together a proof of concept demonstartion of the flaw that does indeed seem to work on Firefox 2.0.0.5. That said, Mozilla’s browser isn’t the only one affected. According to Linux.com, Apple’s browser Safari is also vulnerable to the same flaw. The site advises that users either disable JavaScript or not use automatic password management on sites where users can post JavaScript pages.

Comments closed
    • sigher
    • 13 years ago

    Incidentally, this repeat of an old non-bug is I assume some kind of MS sponsored article? or what.

    And that proof of concept thing is laughable, put a name/password in heisse.de and then when you goto page 2 on… heisse.de FF PUTS IN YOUR NAME/PASSWORD, OMG….. IT DOES WHAT YOU ENABLED IT TO DO AND IT IS SUPPOSE TO DO!!! OMG…

    • albundy
    • 13 years ago

    you could disable javascript, but TR will lose money from advertisements not showing.

    • stmok
    • 13 years ago

    I just played around with this demo exploit on my Linux box.

    It appears you MUST have “Remember passwords for sites” checked or enabled *[< AND <]* have Javascript on (disable NoScript). Both these conditions must be met for this to work. Looks like another issue here as well. §[<http://www.securityfocus.com/brief/553<]§ (The workaround, for now, is to use NoScript 1.1.6.06...The very latest one) => §[<http://noscript.net/<]§ So 2.0.0.6 by next week or so? :-)

    • Prospero424
    • 13 years ago

    /[<"If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw"<]/ That's just one more reason why I recommend to everyone I know that they use the NoScript (Java whitelist, which did indeed foil this exploit test) extension and maybe a phishing detection/site reputation extension like SiteAdvisor. Mozilla can't be blamed for vulnerabilities in Java. And I don't really fault Sun so much because the incredibly flexible, complex, and powerful nature of what Java is capable of simply can't be totally locked down from a "complete" security standpoint, though that's not to say that vulnerabilities like this, when found, can't or shouldn't be fixed. The fact is that this flexibility is what allows so much of what we enjoy about the modern internet. The key is to just use some simple precautions regarding what sites you allow to access this capability.

    • ReAp3r-G
    • 13 years ago

    lucky enough i don’t use password remember, a bit of a privacy issue since other ppl might wanna use my laptop/PC

    • PetMiceRnice
    • 13 years ago

    It goes to show that if something is popular enough, it’s a target for people to find weaknesses.

    • sigher
    • 13 years ago

    WTF< this is the same old facebook bug, long discussed and only relevant on the same base domain as the one you set the password, aka a non-issue.

    • axeman
    • 13 years ago

    Yikes.

    Since I work in a corporate environment that is a bit of a mess, I’m on FF 1.5.0.7, and it is affected.

    One thing I don’t really like about FF is that the auto-update doesn’t offer to upgrade major versions, which is a problem unless they fix this in the 1.5 branch as well.

    • Mithent
    • 13 years ago

    It seems like the flaw isn’t in password management, but that JavaScript is allowed to read auto-filled password boxes?

    • Dposcorp
    • 13 years ago

    Opera FTW!!!!!!!!!!!!!
    Opera blocked this, but my FF install fell for it.

    o[

      • PerfectCr
      • 13 years ago

      It’s only a matter of time now.

        • SuperSpy
        • 13 years ago

        Opera blockes it even better with javascript totally disabled. =)

        Am I the only person that browses like that anymore?

      • gratuitous
      • 13 years ago
        • CasbahBoy
        • 13 years ago

        Gratiutous said:

        q[<https://techreport.com/forums/viewtopic.php?p=590188&highlight=#590188
        §[<http://en.wikipedia.org/wiki/Evelyn_Beatrice_Hall<]§ "I disapprove of what you say, but I will defend to the death your right to say it." Or not say it. Or don't we believe that in America anymore.<]q Freedom of Speech doesn't apply to private enterprise, gratuitous :). I did enjoy the "...OR DO YOU HATE FREEDOM" angle that you took though.

          • gratuitous
          • 13 years ago
          • Forge
          • 13 years ago

          WTF? I agree that Gratuitous deleting his posts after the fact is mildly annoying and IMO pointless, but the chorus of morons doing nothing but following him around and repasting what he writes is WORSE!

      • sigher
      • 13 years ago

      Yes indeed, ban his ass already

    • gratuitous
    • 13 years ago
      • radix
      • 13 years ago

      gratuitous said:

      “y[< Score one for the "tinfoil hat" crowd that have been advising against js for years. (What, you think the black hats just came up with this hack yesterday?)<]y"

        • gratuitous
        • 13 years ago
          • heruur
          • 13 years ago

          Gratuitous…”Ah, another loyal lemming joins the gratuitous fan club. Welcome to the fold, my rabid little sycophants. :-)”

          Archived

            • gratuitous
            • 13 years ago
    • adisor19
    • 13 years ago

    Ouch, this DOES work 🙁 The mac version is affected this time..

    Adi

      • wierdo
      • 13 years ago

      Hopefully they’ll fix this within one or two weeks like they did past ones. As long as they keep doing that then it’s not a big deal.

Pin It on Pinterest

Share This