Theme

Welcome · log in · join

Mozilla Software → Firefox 2.0 Password Manager Bug Exposes Passwords

uniqs
9006

« [FireFox] Shakee Web Pages with FF 2.0.0.1 • [Thunderbird] Out Going Authentication? »
page: 1 · 2 · 3 · 4 · next

newview Ex .. Ex .. Exactly Premium Member join:2001-10-01 Parsonsburg, MD	newview Premium Member 2006-Nov-21 7:42 pm Firefox 2.0 Password Manager Bug Exposes Passwords This is not good . . . Caught this on /. quote: "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion.
	· actions · 2006-Nov-21 7:42 pm ·
MagMan Life is simpler when you tell the truth. Premium Member join:2003-10-01 Westlake, OH	MagMan Premium Member 2006-Nov-21 7:44 pm Don't use the password mgr here so not a problem for me thanks though.
	· actions · 2006-Nov-21 7:44 pm ·
Cudni La Merma - Vigilado MVM join:2003-12-20 Someshire	Cudni to newview MVM 2006-Nov-21 7:48 pm to newview Bad bug. Pity they didn't post a workaround, maybe there isn't one, until patched properly Cudni
	· actions · 2006-Nov-21 7:48 pm ·
Grail Knight Premium Member join:2003-05-31 Valhalla	Grail Knight to newview Premium Member 2006-Nov-21 7:52 pm to newview Good info and should also be posted in the Security Thread due to not all Fx users visiting this part of BBR. I use KeePass myself for filling in passwords of importance and Fx for filling in user name/passwords for sites that contain no personal data.
	· actions · 2006-Nov-21 7:52 pm ·
newview Ex .. Ex .. Exactly Premium Member join:2001-10-01 Parsonsburg, MD	newview Premium Member 2006-Nov-21 7:56 pm said by Grail Knight: Good info and should also be posted in the Security Thread due to not all Fx users visiting this part of BBR. Done.
	· actions · 2006-Nov-21 7:56 pm ·
newview	newview Premium Member 2006-Nov-21 8:00 pm I justed tested with SeaMonkey 1.0.6 and it's vulnerable also.
	· actions · 2006-Nov-21 8:00 pm ·
MagMan Life is simpler when you tell the truth. Premium Member join:2003-10-01 Westlake, OH	MagMan to newview Premium Member 2006-Nov-21 8:12 pm to newview Okay Let me ask this question if you are using Roboform why is this an issue.Let the pundits explain please.
	· actions · 2006-Nov-21 8:12 pm ·
Grail Knight Premium Member join:2003-05-31 Valhalla	Grail Knight Premium Member 2006-Nov-21 8:28 pm I will take a wild guess but not everyone uses Roboform or other password managers relying on the browsers password tools. This would no doubt be of interest to them would it not if their browser password manager is flawed?
	· actions · 2006-Nov-21 8:28 pm ·
Grail Knight	Grail Knight to newview Premium Member 2006-Nov-21 8:32 pm to newview From Chapin Information Services. quote: Mozilla confirmed this as bug number 360493, and said they are already working on a fix for version 2.0.0.1 or 2.0.0.2. also from MS, quote: Microsoft responded by saying, "We are aware of the issue you reported." And, "As a matter of policy, we cannot comment on ongoing investigations."
	· actions · 2006-Nov-21 8:32 pm ·
MagMan Life is simpler when you tell the truth. Premium Member join:2003-10-01 Westlake, OH	MagMan to Grail Knight Premium Member 2006-Nov-21 8:38 pm to Grail Knight said by Grail Knight: I will take a wild guess but not everyone uses Roboform or other password managers relying on the browsers password tools. This would no doubt be of interest to them would it not if their browser password manager is flawed? I guess if they are noobs than there is a tin hat alert here good job. But that is not how it is being posted.
	· actions · 2006-Nov-21 8:38 pm ·

newview Ex .. Ex .. Exactly Premium Member join:2001-10-01 Parsonsburg, MD 1 edit	newview Premium Member 2006-Nov-21 8:45 pm said by MagMan: But that is not how it is being posted. I'm sorry . . . what part of Firefox 2.0 Password Manager Bug Exposes Passwords is confusing you? Firefox calls their password manager . . . "Password Manager".
	· actions · 2006-Nov-21 8:45 pm ·
MagMan Life is simpler when you tell the truth. Premium Member join:2003-10-01 Westlake, OH 1 edit	MagMan Premium Member 2006-Nov-21 8:54 pm Thanks for your heads up on this I will make sure I don't use the password mgr.Firefox is my default browser so I guess I will be more careful Thanks. Use roboform problem solved
	· actions · 2006-Nov-21 8:54 pm ·
pfak Premium Member join:2002-12-29 Vancouver, BC	pfak to newview Premium Member 2006-Nov-21 9:30 pm to newview Correct me if I'm wrong but.. Isn't this supposed to be the intended behavoir of the Password Manager? To supply the username and password to all input forms on a domain that ask for the username and password you have saved..?
	· actions · 2006-Nov-21 9:30 pm ·
newview Ex .. Ex .. Exactly Premium Member join:2001-10-01 Parsonsburg, MD	newview Premium Member 2006-Nov-21 9:36 pm said by pfak: Correct me if I'm wrong but.. Isn't this supposed to be the intended behavoir of the Password Manager? To supply the username and password to all input forms on a domain that ask for the username and password you have saved..? Check out the "proof of concept" link. It's passing the ID & PW to an entirely different domain and displaying it in the resulting URL. Don't forget you have to allow Password Manager to save the info.
	· actions · 2006-Nov-21 9:36 pm ·
Lanik Lab-nik join:2001-06-25 San Francisco, CA 1 edit	Lanik to newview 2006-Nov-21 10:06 pm to newview Never mind I didn't read the address bar same thing as everyone else. Hope its fixed soon.
	· actions · 2006-Nov-21 10:06 pm ·
AB Premium Member join:2006-04-04 Ecuador 3 edits	AB to newview Premium Member 2006-Nov-21 10:12 pm to newview Ouch! That hurt! Cudni 's right, as usual. Bad bug. I had Password Manager save "joe blow" as my username, and "234567" as my password. When I clicked on the video & was transferred to Google, this is what was in the address bar: »www.google.com/search?q= ··· 67&x=&y= *For those who don't want to click on my link, it says: loginuser=joe+blow&loginpass=234567 That ain't good. Thanks much for the heads-up, newview . It's appreciated.
	· actions · 2006-Nov-21 10:12 pm ·
robo_mojo join:2006-01-11 Ada, OK 4 edits	robo_mojo to newview Member 2006-Nov-21 10:49 pm to newview Trying to understand what is going on here... The page has fields for loginuser and loginpass, which you can save values for if you use password manager. Then the page loads (on the same site) with the same fields again, except they are hidden. On this second page, the form URL it submits to is on a different domain (google) but the fields are populated and submitted anyway. What is the deal with the flash on the page? Does it need to use flash to make this happen? Or does the flash not affect anything? Just curious how this is working. I have never even used password manager. But it seems to me that you still need to load the site that goes with the saved user/pass first, but what that site does with it is another matter. A site that is vulnerable to cross-scripting attacks might be used to harvest info from visiting users. But I don't understand how the browser is at fault.
	· actions · 2006-Nov-21 10:49 pm ·
AB Premium Member join:2006-04-04 Ecuador	AB Premium Member 2006-Nov-21 10:58 pm said by robo_mojo: Trying to understand what is going on here....I have never even used password manager. . . . But I don't understand how the browser is at fault. Apparently it's snagging the info from the 'saved passwords' area of the browser. If you just manually enter the info, and have no passwords saved, it can't read it. That's the way I see it, anyway.
	· actions · 2006-Nov-21 10:58 pm ·
JTM1051 MVM join:2000-07-08 Moorpark, CA	JTM1051 to AB MVM 2006-Nov-21 11:33 pm to AB said by AB: ...this is what was in the address bar: »www.google.com/search?q= ··· 67&x=&y= *For those who don't want to click on my link, it says: loginuser=joe+blow&loginpass=234567 ... No need to click to see, unless your Status bar is filled with various extensions, just hover mouse pointer over link in post and full link appears in the Status Bar.
	· actions · 2006-Nov-21 11:33 pm ·
AB Premium Member join:2006-04-04 Ecuador	AB Premium Member 2006-Nov-21 11:45 pm said by JTM1051: said by AB: »www.google.com/search?q= ··· 67&x=&y= For those who don't want to click on my link, it says: loginuser=joe+blow&loginpass=234567 ... No need to click to see, unless your Status bar is filled with various extensions, just hover mouse pointer over link in post and full link appears in the Status Bar. Ahem* Yes, how bout that? Okay . . . back to sleep for me now.
	· actions · 2006-Nov-21 11:45 pm ·
Grail Knight Premium Member join:2003-05-31 Valhalla	Grail Knight to MagMan Premium Member 2006-Nov-21 11:45 pm to MagMan Seemed obvious to me by the title what the thread was about.
	· actions · 2006-Nov-21 11:45 pm ·
Grail Knight	Grail Knight to AB Premium Member 2006-Nov-21 11:48 pm to AB MoFo is already working on a patch. The race will be who releases it first, MS or MoFo.
	· actions · 2006-Nov-21 11:48 pm ·
AB Premium Member join:2006-04-04 Ecuador	AB Premium Member 2006-Nov-21 11:52 pm said by Grail Knight: . . The race will be who releases it first, MS or MoFo. Guess where the 'smart money' is.
	· actions · 2006-Nov-21 11:52 pm ·
Grail Knight Premium Member join:2003-05-31 Valhalla	Grail Knight Premium Member 2006-Nov-21 11:59 pm I don't know if I trust myself to answer that but if we ask the "Genius" I would bet she would know.
	· actions · 2006-Nov-21 11:59 pm ·
dvd536 as Mr. Pink as they come Premium Member join:2001-04-27 Phoenix, AZ	dvd536 Premium Member 2006-Nov-22 7:22 am how does one remove saved passwords from the manager?
	· actions · 2006-Nov-22 7:22 am ·
Grail Knight Premium Member join:2003-05-31 Valhalla	Grail Knight Premium Member 2006-Nov-22 8:05 am Tools - Options - Security - Show Passwords Click the password to highlight it then click the remove button at the bottom of the passwords window.
	· actions · 2006-Nov-22 8:05 am ·
newview Ex .. Ex .. Exactly Premium Member join:2001-10-01 Parsonsburg, MD	newview to dvd536 Premium Member 2006-Nov-22 9:25 am to dvd536 SeaMonkey: Tools \| Password Manager \| Manage Stored Passwords \| Remove All - or highlight ID-PW field to be removed - click remove
	· actions · 2006-Nov-22 9:25 am ·
b10010011 Whats a Posting tag? join:2004-09-07 Bellingham, WA	b10010011 to newview Member 2006-Nov-22 10:32 am to newview This is exactly why I do not use any type of password manager. They are security breaches just waiting to happen.
	· actions · 2006-Nov-22 10:32 am ·
clorets join:2001-12-12 Oklahoma City, OK	clorets to newview Member 2006-Nov-22 11:45 am to newview anyone know if this is in 1.5.0.6?
	· actions · 2006-Nov-22 11:45 am ·
Grail Knight Premium Member join:2003-05-31 Valhalla	Grail Knight Premium Member 2006-Nov-22 12:26 pm Yes it does it also in my 1.5.0.6 series.
	· actions · 2006-Nov-22 12:26 pm ·

Forums → Software and Operating Systems → Mozilla Software	« [FireFox] Shakee Web Pages with FF 2.0.0.1 • [Thunderbird] Out Going Authentication? »
page: 1 · 2 · 3 · 4 · next