Firefox 2.0 leaks passwords

[polonus]

Hi malware fighters,

A new security hole in Firefox 2.0 enables attackers to steal saved passwords without a user knowing this. The problem is caused by  a hole in the Firefox Password Manager leaking usernames and stored passwords to be directed further to a remote attacker.

According those that discovered this leak it is a "Reverse Cross-Site Request" leak, in which attackers place webforms on regular websites. Firefox automatically fills out these forms with the stored passwords or usernames for these kind of forms. The problem is that the destination of the forms cannot be checked before the user submits the form. Furthermore an attacker can hide the form from sight. Firefox automattically fills out these forms, when the user clicks the invisable "image link", the data are being forwarded.

Mozilla has stated this is a bug and would like to patch it in version 2.0.0.1 or 2.0.0.2. Internet Explorer is also vulnerable, but the leak is not that bad, because the form has to be on the same site as the legit form page. Further info to be found here in this advisory, where you can find a demo: http://www.info-svc.com/news/11-21-2006/

edit" -> "preferences" -> "security" -> "show passwords";

Could be taken out of a bad B-move......


polonus

[DavidR]

Not a problem for me, I never allow the browser, no matter which one to save passwords. I never thought that was a good idea in the first place. I won't even have roboform or a password manager on my system. I'm not very trusting I guess

The proof of concept doesn't show anything because if you don't save them.
http://www.google.com/search?q=Chapin+Information+Services&loginuser=&loginpass=&x=&y=

If you do save them the same test returns the details.
http://www.google.com/search?q=Chapin+Information+Services&loginuser=Auser&loginpass=AuserPassTest&x=&y=

Now when I first read the post and a brief read of the article I though that yours, passwords (plural) and not just the one you created to visit/logon to that site. So although the PoC works it is only ripping the user name and password for that site.

Why they need to go to the lengths to prove the concept is beyond me, as the user input could be saved directly from the originating web page with this torturous route. When it uses a fake logon page in the first place it has the user name and password without all this flip flop between sites to prove a concept.

So to me that vulnerability isn't as great as at it for it seems they aren't ripping all your saved passwords. Just the one you would have lost had you visited a phishing site, so this is no worse than any phishing attack.

[CharleyO]

***

Like David, I have never like the idea of password managers nor letting any program/application store my passwords. It is simply not a very secure thing to do.


***

[polonus]

Hi CharleyO,

As a user of Firefox 2.0 or the Flock cardinal I never save passwords when logging in.
And old admin trick was, log on with a wrong password to lead the stealer astray if it was an automated process, then fill out the right password second time. I also run Stealther, which hides Browsing History, Downloads, Disk Cache, Saved Form Info, Cookies, Referrer Header.

polonus