Holes in Firefox password manager [Update]
The Mozilla developers have fixed a known hole in the password manager of Firefox & Co, but a door remains open for exploitation. If the user gives permission, the inbuilt password manager of the open-source browser saves passwords and enters data into the respective form fields on the user's next visit automatically. This happens not only on the page where the password was saved, but also on all other pages on this server that contain a similar form.
When asked by heise Security, Mozilla developer Gavin Sharp confirmed that the developers are aware of that problem. Indeed, there were controversial discussions of the issue in the bug database, but further measures were discarded. Automatically entering passwords in other pages increases the user-friendliness on sites with several login pages. And even if this functionality is removed, this does not mean that passwords cannot be stolen. Provided an attacker can place script code on a server, he is able to manipulate the pages as he wishes anyway and has other ways to steal user access data.
- Password stealing, Browsercheck demo at heise Security
- Password stealing for dummies, background article on heise Security
- Cross-Site Forms + Password Manager = Security Failure, entry in the Mozilla bug database