You are not logged in.
- Topics: Active | Unanswered
#1 2006-11-24 20:15:45
- Romashka
- Forum Fellow
- Registered: 2005-12-07
- Posts: 1,054
Security issue in Firefox
Cross-Site Forms + Password Manager = Security Failure
MSIE6 is vulnerable too.
Opera is not vulnerable.
I don't know if this is an issue for Konqueror or Epiphany.
to live is to die
Offline
#2 2006-11-25 14:44:35
- Gullible Jones
- Member
- Registered: 2004-12-29
- Posts: 4,863
Re: Security issue in Firefox
I think Epiphany uses its own password manager, not Firefox's, so it might not be. Konqueror I'm not sure about.
(Hmm, can't seem to find this on the bugtracker. Fixed already?)
Offline
#3 2006-11-25 14:54:07
- Romashka
- Forum Fellow
- Registered: 2005-12-07
- Posts: 1,054
Re: Security issue in Firefox
Sorry, I forgot to report it.
It's bug #5892 now.
BTW, though Opera is not vulnerable, its devs have changed the way its Wand feature works to make it even more secure.
to live is to die
Offline
#4 2006-11-25 17:55:08
- hussam
- Member
- Registered: 2006-03-26
- Posts: 572
- Website
Re: Security issue in Firefox
Well there is no patch in https://bugzilla.mozilla.org/show_bug.cgi?id=360493
at the moment. But 2.0.0.1 should be out soon and it will include the fix for this.
Offline
#5 2006-11-26 04:00:22
- iphitus
- Forum Fellow
- From: Melbourne, Australia
- Registered: 2004-10-09
- Posts: 4,927
Re: Security issue in Firefox
epiphany is vulnerable too. http://www.heise-security.co.uk/service … ass1.shtml
that's a nasty bug though. pretty much any browser that fills the forms automatically is vulnerable, allowing a malicious page to get them blindly without the user knowing -- and it's a difficult one to fix too.
You could set the password manager to remember the action url, however it could just as easily be submitted using ajax instead, while having the real action url there and thus fooling the browser. I think the best solution is an opera style fill in, requiring the user to hit the wand to login though it isnt as convenient.
James
Offline
#6 2006-11-26 10:50:10
- JGC
- Developer
- Registered: 2003-12-03
- Posts: 1,664
Re: Security issue in Firefox
The solution is quite simple: don't save passwords. Saving passwords that get autofilled is like leaving the key to your house in the lock on the outside. It's convenient, but also for others.
Until this is fixed upstream, the only possible fix is the above fix. The password manager should turn from a "leave key in the lock" feature to a feature that tells you which key you should put in the lock.
Offline
#7 2006-11-26 12:06:21
- hussam
- Member
- Registered: 2006-03-26
- Posts: 572
- Website
Re: Security issue in Firefox
if it's just a case when one site can read passwords from other sites, then just have firefox match the password with the full address of the page with all the /something/whatever and not just the host name and possibly also the IP address of the site.
Offline
#8 2006-11-27 19:49:15
- Namru
- Member
- From: Hamburg (Germany)
- Registered: 2006-10-18
- Posts: 13
Re: Security issue in Firefox
konqueror is ok
Offline