Topic: Password vulnerability in Firefox 2.0.0.5 (Read 1080 times)

Nemesis · « **on:** July 24, 2007, 09:56:06 pm »

Quote

According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw.

Apparently the password can only be stolen for the site that the javascript is on. It can't steal all passwords.

Just plain old Punisher · « **Reply #1 on:** July 25, 2007, 03:47:14 pm »

So the site can steal the password only for people who sign up for that site -- which begs the question, shouldn't they already have the username and password?

Javora · « **Reply #2 on:** July 25, 2007, 05:31:39 pm »

Quote from: Punisher LordOfBacon on July 25, 2007, 03:47:14 pm

So the site can steal the password only for people who sign up for that site -- which begs the question, shouldn't they already have the username and password?

No, not if they are spoofing another site, like a bank or some other place that deals with other peoples money. Granted, it's a remote chance that something like that could happen but... *shrugs*

jualdeaux · « **Reply #3 on:** July 25, 2007, 05:56:51 pm »

Ah, they'll get a fix out fairly quickly.

Nemesis · « **Reply #4 on:** July 25, 2007, 07:30:50 pm »

Quote from: Punisher LordOfBacon on July 25, 2007, 03:47:14 pm

So the site can steal the password only for people who sign up for that site -- which begs the question, shouldn't they already have the username and password?

Some sites also apparently allow members to add javascript to their own pages. Those pages could grab the site password.

News: