Using Mozilla Firefox’s built-in Password Manager to keep track of your browser’s passwords? It makes site logins faster but it also could help malicious sites steal your passwords.
The bug, which has been known to Mozilla for at least 10 days, remains
unpatched and exploits as well as a proof of concept exist in the wild.
“I was shocked today to find an in-the-wild phish that uses nothing more
than cross-site forms, and also extracts information from the Password
Manger!” Security Researcher Robert Chapin wrote in a November 12th e-mail posted in the bugzilla bug tracking system.
“The underlying method was so obvious that it should have raised multiple
warnings,” Chapin continued. “There were none at all.”
The flaw allows a maliciously crafted page to auto-fill a form with
credentials intended for another site. Apparently, there is no warning in
Firefox 2.0 or previous versions that the credentials are being pulled for
the wrong site and submitted to a third party.
Details of the flaw first became public this week. Mozilla developers do not yet have a fix.
“Since this bug is an in-the-wild attack we’re not protecting anyone by
hiding the details anyway,” Mozilla developer Daniel Veditz wrote in a
bugzilla entry. “Up to now, browser makes have focused on user convenience and
assumed sites with valuable passwords would be well-written. But they have
bugs just like we have bugs so we might have to be more defensive.”
Solutions? Surf carefully. Or just don’t use the feature until a fix comes out. Security outfit (FriST) recommends that users disable the “Remember passwords for sites” feature in the Options menu.