Author Topic: Firefox 2.0 leaks passwords  (Read 2458 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33532
  • malware fighter
Firefox 2.0 leaks passwords
« on: November 22, 2006, 04:19:51 PM »
Hi malware fighters,

A new security hole in Firefox 2.0 enables attackers to steal saved passwords without a user knowing this. The problem is caused by  a hole in the Firefox Password Manager leaking usernames and stored passwords to be directed further to a remote attacker.

According those that discovered this leak it is a "Reverse Cross-Site Request" leak, in which attackers place webforms on regular websites. Firefox automatically fills out these forms with the stored passwords or usernames for these kind of forms. The problem is that the destination of the forms cannot be checked before the user submits the form. Furthermore an attacker can hide the form from sight. Firefox automattically fills out these forms, when the user clicks the invisable "image link", the data are being forwarded.

Mozilla has stated this is a bug and would like to patch it in version 2.0.0.1 or 2.0.0.2. Internet Explorer is also vulnerable, but the leak is not that bad, because the form has to be on the same site as the legit form page. Further info to be found here in this advisory, where you can find a demo: http://www.info-svc.com/news/11-21-2006/

edit" -> "preferences" -> "security" -> "show passwords";

Could be taken out of a bad B-move......


polonus


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86949
  • No support PMs thanks
Re: Firefox 2.0 leaks passwords
« Reply #1 on: November 22, 2006, 04:58:17 PM »
Not a problem for me, I never allow the browser, no matter which one to save passwords. I never thought that was a good idea in the first place. I won't even have roboform or a password manager on my system. I'm not very trusting I guess ;D

The proof of concept doesn't show anything because if you don't save them.
http://www.google.com/search?q=Chapin+Information+Services&loginuser=&loginpass=&x=&y=

If you do save them the same test returns the details.
http://www.google.com/search?q=Chapin+Information+Services&loginuser=Auser&loginpass=AuserPassTest&x=&y=

Now when I first read the post and a brief read of the article I though that yours, passwords (plural) and not just the one you created to visit/logon to that site. So although the PoC works it is only ripping the user name and password for that site.

Why they need to go to the lengths to prove the concept is beyond me, as the user input could be saved directly from the originating web page with this torturous route. When it uses a fake logon page in the first place it has the user name and password without all this flip flop between sites to prove a concept.

So to me that vulnerability isn't as great as at it for it seems they aren't ripping all your saved passwords. Just the one you would have lost had you visited a phishing site, so this is no worse than any phishing attack.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.9.6034 (build 22.9.7554.734) UI 1.0.728/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

CharleyO

  • Guest
Re: Firefox 2.0 leaks passwords
« Reply #2 on: November 23, 2006, 05:28:57 AM »
***

Like David, I have never like the idea of password managers nor letting any program/application store my passwords. It is simply not a very secure thing to do.


***

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33532
  • malware fighter
Re: Firefox 2.0 leaks passwords
« Reply #3 on: November 23, 2006, 02:42:40 PM »
Hi CharleyO,

As a user of Firefox 2.0 or the Flock cardinal I never save passwords when logging in.
And old admin trick was, log on with a wrong password to lead the stealer astray if it was an automated process, then fill out the right password second time. I also run Stealther, which hides Browsing History, Downloads, Disk Cache, Saved Form Info, Cookies, Referrer Header.

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!