Holes in Firefox Password Manager

21 Juli, 2007 at 4:20 am Tinggalkan komentar

The Mozilla developers have fixed a known hole in the password manager of Firefox & Co, but a door remains open for exploitation. If the user gives permission, the inbuilt password manager of the open-source browser saves passwords and enters data into the respective form fields on the user’s next visit automatically. This happens not only on the page where the password was saved, but also on all other pages on this server that contain a similar

form.

If users are allowed to create their own web pages on a server, as is the case on many community sites, an attacker may emulate the login form to have the access data, which are entered automatically, sent to his own server. In the past, a login form could even be set up to send the data directly to the attacker’s server as soon as the submit button was clicked. Firefox entered the data automatically regardless of the target of the specified action. However, the developers have now implemented changes to check the destination to which the data are sent; consequently, the demo run by heise Security no longer worked. But Markus Bucher noticed that it is not necessary to change the destination: rather, it is possible to read out the entered data via JavaScript and then submit them. To do so, the page must simply access the data via the DOM (document.<form>.<field>.value). The updated browsercheck page of heise Security demonstrates how this works.

When asked by heise Security, Mozilla developer Gavin Sharp confirmed that the developers are aware of that problem. Indeed, there were controversial discussions of the issue in the bug database, but further measures were discarded. Automatically entering passwords in other pages increases the user-friendliness on sites with several login pages. And even if this functionality is removed, this does not mean that passwords cannot be stolen. Provided an attacker can place script code on a server, he is able to manipulate the pages as he wishes anyway and has other ways to steal user access data.

The position of the Mozilla developers is quite comprehensible, since the JavaScript security model almost completely relies on the origin of code (same origin policy). If an attacker succeeds in placing malicious code on a server, he may manipulate practically all pages from this server while they are displayed in the browser as he wishes. However, an uneasy feeling remains considering that a password manager enters passwords into faked forms without any user interaction. Somehow, this is reminiscent of a wallet with a hole in it.

From the users’ perspective, this means that they should not entrust their passwords to the password manager on web sites that allow other users to create their own pages containing scripts. Otherwise somebody can easily create a page that steals the password as soon as the page is opened (see our password stealing demo for that). This category of sites includes many content management systems including blogs and social networking sites. Specific filtering functions attempting to distinguish good from evil code are not really helpful, since experience shows that they can be bypassed in most cases. Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function. On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.

Update:
Apple’s Safari behaves in a similar manner. The browsercheck demo works the same way: on visiting the “evil” page, your password is stolen by JavaScript without any user interaction.

src : blog[at]byethost

Entry filed under: News. Tags: .

HTML 5 : We don’t need no XHTML Search Engine Optimization – It’s All in the Writing

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


CaLeNDar

Juli 2007
S S R K J S M
« Jun   Agu »
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

my PoST

CouNTeR

  • 4,126 hits

%d blogger menyukai ini: