Log in

View Full Version : Firefox Hackers Discovered.


4Dude
26th November 2006, 12:26
There is a warning out for all Firefox users to disable the auto password feature. Hackers have discovered a way to get your password. Just a warning.



http://www.internetnews.com/img/hdr_security.gif (http://www.internetnews.com/security/)
November 22, 2006
Phishers Lurk For Firefox 2.0 Password Manager
By Sean Michael Kerner (http://www.internetnews.com/feedback.php/http://www.internetnews.com/security/article.php/3645396)

Using Mozilla Firefox's built-in Password Manager to keep track of your browser's passwords? It makes site logins faster but it also could help malicious sites steal your passwords.
The bug, which has been known to Mozilla for at least 10 days, remains unpatched and exploits as well as a proof of concept exist in the wild.
"I was shocked today to find an in-the-wild phish that uses nothing more than cross-site forms, and also extracts information from the Password Manger!" Security Researcher Robert Chapin wrote in a November 12th e-mail posted in the bugzilla bug tracking system.
"The underlying method was so obvious that it should have raised multiple warnings," Chapin continued. "There were none at all."
The flaw allows a maliciously crafted page to auto-fill a form with credentials intended for another site. Apparently, there is no warning in Firefox 2.0 or previous versions that the credentials are being pulled for the wrong site and submitted to a third party.
Details of the flaw first became public this week. Mozilla developers do not yet have a fix. "Since this bug is an in-the-wild attack we're not protecting anyone by hiding the details anyway," Mozilla developer Daniel Veditz wrote in a bugzilla entry. "Up to now, browser makes have focused on user convenience and assumed sites with valuable passwords would be well-written. But they have bugs just like we have bugs so we might have to be more defensive."

foxyshadis
26th November 2006, 14:04
The real trouble is that if a site is already vulnerable to XSS exposures, it's trivial to extend to extend the attack to automatically submit the information, and if done by XMLRPC (ajax) it may be totally invisible to the user. I remember this problem being mentioned a while back, but I guess it wasn't taken seriously since the vector of attack wasn't as obvious.

4Dude
26th November 2006, 15:28
Yes and this same issue affects IE7 (http://news.com.com/Firefox%2C+IE+vulnerable+to+fake+login+pages/2100-1002_3-6137844.html) also..

feedback
2nd December 2006, 09:02
I always keep my password retention disabled just to thwart those numb nut gasbags.

Sharktooth
2nd December 2006, 12:57
Yes and this same issue affects IE7 (http://news.com.com/Firefox%2C+IE+vulnerable+to+fake+login+pages/2100-1002_3-6137844.html) also..
but not Opera, which has always been the most secure browser on earth...

4Dude
2nd December 2006, 16:57
What engine does Opera use?? (IE or Mozilla) Cause if it uses IE it may be vulnerable.....

foxyshadis
2nd December 2006, 17:49
Opera uses... Opera. It's not like Avant.

Sharktooth: Opera never autofills your username/pass on any page in the same domain except the exact ones they've been filled in at? If so, it's not vulnerable; that added convenience is what got the others in trouble. If it ever does, it's not entirely secure against such an attack.

kumi
2nd December 2006, 22:25
AFAIK, the vulnerability consists of a fake login form, so even if Firefox/IE do not auto-login, the user might still be tricked into filling out the form.

Sharktooth
3rd December 2006, 04:26
Opera doesnt automatically fill the fields, it uses a completely different way to "remember" the user/pass fields.
Search for "Wand" on their knowledge base or just install it and try to find out how it works ;)

foxyshadis
3rd December 2006, 07:47
AFAIK, the vulnerability consists of a fake login form, so even if Firefox/IE do not auto-login, the user might still be tricked into filling out the form.

Yes, but tricking someone into filling out their password can work with any browser, any site, and has been employed successfully since at least 1997. =p

The way to mitigate this problem is to only form-fill if the backend link resolves to the same. In fact, I would go so far as to say that domain should never be considered in any way; that the form-fill selection should be based on a hash of the resolved fully-qualified form target url. This should be entirely free of tampering by matching against the source domain, though there may be another vector I haven't considered.

I'm going to see if there's a bugzilla entry on it, and see if anyone already suggested that. =p

Actually, I did miss a vector: Javascript can be used to rewrite the action link after the form has been filled in. It's still better than the current, that doesn't even require any javascript, but only marginally.

btw, its bugzilla entry (https://bugzilla.mozilla.org/show_bug.cgi?id=360493).