The Browser Den

As reported in Slashdot there’s a flaw in the password managers of Firefox and to a certain extent IE. It’s reported to Mozilla as bug 360493, the severity of the bug depends on your usage of passwords and the password manager.

The Problem

The problem occurs on domains where untrusted individuals can add their own content (e.g. myspace.com, geocities.com), it is possible for a user of this site to put a username and password box on their personal page and then this will then be populated with the password associated with that domain. This would mean a myspace user could find your myspace password, they can’t find any passwords associated with anything outside that domain so your bank password is safe.

Sites where security are critical (e.g. banks) would never allow user submitted content to their domain so your critical data is fine. It’s important to ensure that you don’t use the same password for banking sites as you would for less important sites. Even if this flaw didn’t exist you wouldn’t want someone breaking in to the myspace database getting your password and it happened to be the same as your bank password.

Bug or feature

In order to harvest the data the form is submitted to another domain which is different to the one the page is hosted on. There’s legitimate use for off site submissions so fixing this problem is not as straightforward as disabling the password manager for cross domain submissions.

The easiest solution I can think of is that the password manager could store both the domain the form appears on as well as the destination it is submitted to so then a page on myspace.com that submits to myspace.com (i.e. probably an official login box) is different to a page on the domain that submits to a URL off site.

But it’s not just a browser issue, if someone can make their myspace.com hosted page look like it’s an official myspace page they can add a username and password box to the site and steal passwords manually by gullible users typing them in.

So basically, I hope Mozilla finds a solution to make this attack more difficult without crippling the password manager but in the meantime as long as you have a sensible password policy you will be fine.

This entry was posted on Wednesday, November 22nd, 2006 at 5:14 am and is filed under IE, Firefox, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.