Sunday, December 03, 2006

Firefox password stealing


Firefox, if allowed, can store usernames and passwords. If you visit a login page again, the password is then entered automatically. Due to a lack of checking, a second, evil page on the same server could steal those saved passwords.

Demo

Enter a fictional username and password in the dialog boxes below, submit and allow Firefox to save them. Do not enter real passwords.

fake name
fake password

Now open this "evil" page. It will read your username and password and transfer it to our German site heise.de. If a page on www.heise.de opens and displays your username and password, you are vulnerable. If they are not shown, the demo did not work. The output of the evil page could be hidden of course.

This demo requires JavaScript, the vulnerability can be exploited without Javascript though.

Remedy:
The developers are working on a fix. Don't save passwords in Firefox until an update is available.

Posted by max | Permalink |

Labels:

0 Comments:

Post a Comment

Subscribe to: Post Comments (Atom)