The Firefox password manager vulnerability
| This article brought to you by LWN subscribers Subscribers to LWN.net made this article — and everything that surrounds it — possible. If you appreciate our content, please buy a subscription and make the next set of articles possible. |
A commonly used convenience feature in Firefox is the password manager (PM) which can keep track of username/password pairs for sites that one visits and fills in when a new login is required. Unfortunately, as a recent bug report shows, PM can be too helpful and provide that information to other sites, invisibly to the user. As of this writing, the underlying browser problem has not been fixed, though MySpace (where the problem was originally discovered in the wild) has changed its filtering of user-supplied HTML to avoid the problem.
When visiting a site with a login form, Firefox checks its list of stored credentials to see if it has a set matching those requested by the page. How it makes that decision is the crux of the vulnerability. Currently, it looks at the domain name portion of the URL and the input field names in the login form to see if there is a match. If there is just one match, it automatically fills in the username and password and the user can just press the "Login" button to authenticate. If there are more matches, the username becomes a drop-down containing all of the possibilities. When a particular username is chosen, the associated password is filled in.
Under normal circumstances, this works fine, but attackers are always willing to alter the underlying assumptions; that is what has occurred here. For sites like MySpace that allow users to put HTML into their pages, someone with malicious intent can mimic the MySpace login page on their own page; Firefox will happily fill in the blanks on the spoofed page. Users might well believe that they had been logged off for some reason and press the login button which will then provide the credentials to whatever URL the ACTION attribute of the form points to. This new kind of attack has been called a Reverse Cross-site Request (RCSR) by Robert Chapin, who reported the Firefox bug.
This mechanism has much in common with standard phishing techniques, in that it tricks the user into sending their passwords to the attacker, but it has a few twists. A typical phishing site will not have a matching entry in the PM and therefore Firefox will not automatically fill in the form. In addition, there is no reason that the username and password fields need be visible for this attack to work; by using CSS or absolute positioning, the attacker may be able to hide the fields from the user but Firefox will happily fill them in anyway. The user will believe they are submitting a benign, unrelated form, when, in fact, they are providing their credentials to an attacker.
Other browsers are susceptible to this attack as well, but because of some user interface differences, the impact is lessened. Opera provides a 'magic wand' icon that a user can press when they want to provide their credentials to a matching site; IE7 requires one to choose the username from a drop-down (even if there is only one choice), unless the URL is exactly the same as the one stored with the password. These differences alleviate the problem with invisible form fields, but could still be used by login form mimics to trap the unwary.
The discussion of possible fixes in the bug report is instructive as there is no real panacea for this problem on the browser side. Several of the comments maintain that it is completely a server-side issue and that sites must take steps to insure that what they serve does not contain this kind of content. Unfortunately for Firefox users and developers, that simplistic approach will not suffice. The root of the problem lies in what portion of a URL is considered significant for identifying a specific site to attach credentials to in the PM.
It is interesting to note, while one is traversing the web, the different ways one can end up on a login page and the different URLs that lead to them. One way to ensure that RCSR cannot occur is to require that the URL stored with the password match exactly with the URL of the requesting page before filling in credentials. This test will break on a wide variety of web sites because they attach various parameters to the URL (navigation information for example) and doing that check would seriously degrade the usefulness of the PM. A less severe check could match the URL up to the start of any parameters, but there are some sites that use different hosts and paths for handling credentials and a user would have to store a password for each of these URLs. Checking the ACTION attribute of the form being submitted has been suggested as a potential solution, but javascript allows changing that attribute on the fly and that capability is used for legitimate reasons.
It is unclear what direction the Firefox team will take in fixing this problem, but it seems likely to require some user interface change (like Opera or IE7) so that some kind of user interaction is required before credentials are filled in. It may also include stricter checking of the page and/or action URLs before deciding to fill in credentials. Pop-up warnings for content that fails these checks has been suggested as a solution, but it is hard to envision users paying any more attention to a new warning than they have to any of the current ones. There is a delicate balance for the developers to maintain between security and convenience, especially when considering the behavior that users have come to expect.
It is hard to imagine that most users, when storing their passwords, would expect Firefox to send them off to phishing sites without any kind of user interaction and without providing any visual indication that it is doing so. Website operators should certainly be doing better filtering, but the browser is the agent that the user has entrusted with their passwords. Claiming that there is no browser issue is a serious misunderstanding of user expectations when they store passwords.
| Index entries for this article | |
|---|---|
| GuestArticles | Edge, Jake |
(Log in to post comments)
The Firefox password manager vulnerability
Posted Nov 29, 2006 21:44 UTC (Wed) by johnkarp (guest, #39285) [Link]
Anyone know whether Konqueror has this vulnerability?
The Firefox password manager vulnerability
Posted Nov 29, 2006 21:50 UTC (Wed) by stuart (subscriber, #623) [Link]
yes
The Firefox password manager vulnerability
Posted Nov 30, 2006 8:22 UTC (Thu) by mms (guest, #11532) [Link]
I have to disagree on this straight-forward "yes". Konqueror does notmatch the domain name, but instead seems to use the entire, fqdn. And,
unlike IE, it won't help you if the fqdn does not match, even if you fill
the form with a valid username.
So, is Konqueror vulnerable to this very problem? I'm not really sure.
The Firefox password manager vulnerability
Posted Nov 30, 2006 9:11 UTC (Thu) by nix (subscriber, #2304) [Link]
From the look ofkdelibs-3.5.5/khtml/html/html_formimpl.cpp:calculateAutoFillKey()
(svnversion 606559), it uses
that part of the URL before the first occurrence of a match to the regex
[,;!], followed by a # and the name of the form element. This seems
vulnerable to me under situations where URL parameters determine privilege
boundaries :/
(Why [,;!] and not ?, I wonder? The comment in the code implies that this
is working around a `potential security issue' but doesn't say what that
issue *is*.)
The Firefox password manager vulnerability
Posted Nov 30, 2006 9:13 UTC (Thu) by khim (subscriber, #9252) [Link]
Previous answer was much better then your long tirada. Have you even read the article ?
The problem happens not when the wrong site shows the form. Problem happens when "trusted" site allow HTML in posts! Then you can put form with TARGET="malicious site" and fqdn or not fqdn - password will be sent to cracker...
The Firefox password manager vulnerability
Posted Nov 29, 2006 21:49 UTC (Wed) by emkey (guest, #144) [Link]
Some day people will learn that the only safe place to store passwords is in your head. I've never trusted any of these systems for anything but the most trivial use. I never will.
The Firefox password manager vulnerability
Posted Nov 29, 2006 22:21 UTC (Wed) by kirkengaard (guest, #15022) [Link]
On the pat yourself on the back side of things, yes, good security practice does suggest that this sort of crutch is just like writing down your passwords anywhere else. Raise your hand if you know someone who has their login written on the computer or monitor (or a post it attached thereunto). The unwary user who simply says, "Oh! A labor saving device! I hate forgetting the password for that website!" is foolish, but common.
Post-It notes
Posted Nov 30, 2006 13:11 UTC (Thu) by Richard_J_Neill (guest, #23093) [Link]
Often, post-it notes are quite sensible for storing passwords. It all depends on who has physical access, and for domestic users, writing the password down is no bad thing, especially if it helps them remember it. Of course it depends on what the password is for, but in most cases, if someone can break into your house, you have bigger problems than losing your passwords!
The real danger is when a user uses the same password in multiple different places. Then, say their slashdot login might also work for their bank.
Post-It notes
Posted Nov 30, 2006 17:53 UTC (Thu) by emkey (guest, #144) [Link]
Post its are never a good idea. Why have passwords if they are? Passwords exists to limit access and provide auditing. Making it easy for somebody in your group or company to use your identity is not a good thing.
The main reason I don't store passwords beyond the obvious security issues is that I WILL forget a password if I don't have to type it in regularly.
Post-It notes
Posted Dec 3, 2006 15:55 UTC (Sun) by k8to (guest, #15413) [Link]
As the post you are responding to pointed out, post-it notes are useful because access to them is restricted to a physical domain, which can be quite small. A post it note on my computer here, for example, will be viewable by myself and a few close friends who visit my apartment. The risk is _quite_ small, and it would be fine for most applications.
The Firefox password manager vulnerability
Posted Nov 29, 2006 22:45 UTC (Wed) by sward (guest, #6416) [Link]
Bear in mind, however, that many site passwords are not there for your security - they are there to "protect" the content on the site against unauthorized viewing. So as long as you do not use the password manager (or postit notes) for truly sensitive passwords, why would you even care about this exploit?
I agree with you, for important passwords (my email login, finances, etc.) - I don't store those at all. But I have no qualms about storing my assorted subscription logins (like lwn.net) in the password manager.
The Firefox password manager vulnerability
Posted Nov 30, 2006 15:37 UTC (Thu) by k8to (guest, #15413) [Link]
I agree. Part of the problem is that so much "web security" is valueless. Some of it is valueless to the user, but not the site. Some of it is just plain valueless in its entirety.
The spawn of unnecessary 'security' is what begat this feature to paper over the problem. I think it's just fine that hackers will find out my login is "user" and my password is "password" at all these silly web domains.
Sure, some people do end up using this feature where security is actually important, but I think the crying wolf that websites do unnecessarily might be as big a security problem, in the long run, as anything else.
The Firefox password manager vulnerability
Posted Nov 29, 2006 22:47 UTC (Wed) by johnkarp (guest, #39285) [Link]
Ideally, yes, people would easily remember dozens of unique psuedorandompasswords. But even security expert Bruce Schneier
seems to acknowledge the usefulness of encrypted password databases... he
even maintains one:
The Firefox password manager vulnerability
Posted Nov 30, 2006 1:35 UTC (Thu) by proski (subscriber, #104) [Link]
The best thing is, you can actually put a passpoem there.
The Firefox password manager vulnerability
Posted Nov 30, 2006 3:59 UTC (Thu) by roelofs (guest, #2599) [Link]
The best thing is, you can actually put a passpoem there.An epic passpoem!
The Firefox password manager vulnerability
Posted Dec 12, 2007 22:27 UTC (Wed) by riches2rags (guest, #49525) [Link]
Bear in mind, that if the user has been brought to a "poser" web site, no password manager client-side bug is gonna matter if he/she is clicking "OK" anyway. The data has been deliberately sent (ie. exposed). The client maintained list is not, in and of itself, compromised. The hidden form field phishing is a bit less culpable for the client. Simplest solution might be to add a "paranoia" setting to the PM that presents a DB exposing the fqdn about to receive the sensitive submission asking "Are you sure this is a valid authentication request?<continue><cancel> The onus is on the user to double check the validity of the transaction one last time. IMHO, any truly sensitive authentication should be using encrypted transmission with mutual trust verification anyway, or the user should seriously consider doing business elsewhere.
The Firefox password manager vulnerability
Posted Nov 29, 2006 23:05 UTC (Wed) by NAR (subscriber, #1313) [Link]
The head might be safe against attackers, but definitely not safe against forgetting passwords (actually we use computers to store data instead of our heads). There are a couple of services in the company intranet which I use at most twice in a month, but the password expires every 60 days - I tend to ask for new passwords from IT at least once a month for one of these services.
The Firefox password manager vulnerability
Posted Nov 30, 2006 3:26 UTC (Thu) by rsw (guest, #4248) [Link]
One possible solution is to move away from passwords as an authentication key. Why can't servers generate an SSL certificate based on the username? Of course, then there would be an issue of carrying the certificates around wherever access is required, but perhaps something like Schnieir's pass safe equivalent could be used.
But as an initial fix, the Firefox UI will need to change to be less automated, requiring a positive action by the user to cause the fields to be entered
The Firefox password manager vulnerability
Posted Nov 30, 2006 8:47 UTC (Thu) by beejaybee (guest, #1581) [Link]
Actually passwords are fine _provided they're used only once_. The point being that disclosing a password for any reason compromises it, even if the reason is to gain access to the password-protected service.
What we really need is something like a smartcard which will generate one-time passwords and automatically communicate the next valid password to the service provider once access has been granted.
Firefox has fallen into the "convenience trap" here & urgently needs to be fixed. The quick (?) hack of copying the Opera "magic wand" procedure is probably the best mechanism for low to medium security requirements in the short term.
The Firefox password manager vulnerability
Posted Nov 30, 2006 21:05 UTC (Thu) by rriggs (guest, #11598) [Link]
Actually passwords are fine _provided they're used only once_. The point being that disclosing a password for any reason compromises it, even if the reason is to gain access to the password-protected service.Unless I misunderstand what you are saying, your logic is flawed. One has to disclose the password to set it in the first place.
The Firefox password manager vulnerability
Posted Dec 3, 2006 16:02 UTC (Sun) by k8to (guest, #15413) [Link]
I believe your parent is referring to the idea of having a password which is never set, but it is merely pre-arranged.
That is, a one-time password system where both parties can generate an unending linear set of passwords, so each password is generated by, and known to both parties in advance, but is only disclosed the once to authenticate. Traditional passwords become less secure as they are used. One-time passwords are discarded on use, so there is no lessening of security.
The downside of one-time passwords of course is they take even more effort than regular passwords, and at the rate at which passwords (ab)use is multiplying, I think neither is sustainable.
The Firefox password manager vulnerability
Posted Nov 30, 2006 20:59 UTC (Thu) by jstAusr (guest, #27224) [Link]
Does anyone use a stand alone password manager? Are there any good ones? I don't like storing the passwords in the browser because I don't see how that could ever be safe, but I am unable to remember them all either. Isn't an encrypted file to be used in case of brain malfunction just as good as anything else?
The Firefox password manager vulnerability
Posted Dec 1, 2006 17:12 UTC (Fri) by nevyn (subscriber, #33129) [Link]
For windows see the one Bruce Schneider started and oversees. For GNOME there's Revelation (and the older gringotts, which is pretty unmaintained and isn't as nice to use, IMO).
Personally I get firefox to remember all my web passwd's, as well as having them in revelation, they are all unique and 90+% of them it wouldn't matter if they were compromised for a few days. Like OMG someone stole my mailman admin passwd, stop the press.
The Firefox password manager vulnerability
Posted Dec 1, 2006 21:46 UTC (Fri) by vmole (guest, #111) [Link]
If you use a palm device, keyring works well. There's a jPilot plugin, so you can sync with your PC and have access to the passwords both from your palm pilot and jpilot.
The Firefox password manager vulnerability
Posted Dec 4, 2006 23:41 UTC (Mon) by alspnost (guest, #2763) [Link]
Well, there's PasswordSafe on Windoze, which seems good. On Linux, I just use a nice GPG-encrypted file, which ought to be good enough for most people.
The Firefox password manager vulnerability
Posted Apr 19, 2007 21:32 UTC (Thu) by activesolutions (guest, #44781) [Link]
Try this one:
http://www.geocities.com/ramix_info/
It's written in Java, so the OS doesn't matter, and uses blowfish encryption.
Why is the server-side fix not sufficient?
Posted Nov 30, 2006 21:38 UTC (Thu) by gerv (guest, #3376) [Link]
"Several of the comments maintain that it is completely a server-side issue and that sites must take steps to insure that what they serve does not contain this kind of content. Unfortunately for Firefox users and developers, that simplistic approach will not suffice."
Why not? It suffices for JavaScript - that is, if a site includes user-supplied JavaScript in a page, Firefox currently doesn't promise to protect the user from anything it might do, and sites are quite happy to say "Yes, it's our responsibility to filter out script". And that is a good deal harder than filtering out <input type="password">... No-one would blame Firefox if MySpace allowed script and then malicious users started stealing login cookies.
People who place user-supplied content onto their website pages need to do filtering anyway - and, if they are smart, it'll be whitelist-based. We've just discovered one new thing they have to filter for.
Why is the server-side fix not sufficient?
Posted Dec 1, 2006 8:22 UTC (Fri) by walles (guest, #954) [Link]
Fixing one web browser is easier than fixing all web sites.
Why is the server-side fix not sufficient?
Posted Dec 2, 2006 1:55 UTC (Sat) by gerv (guest, #3376) [Link]
But it's not "all web sites". It's a small number of major sites (eBay, mySpace) which include "rich" user-generated content of this sort. Most smaller sites use a packaged CMS; these can be fixed if necessary.
Gerv
Why is the server-side fix not sufficient?
Posted Dec 2, 2006 10:50 UTC (Sat) by walles (guest, #954) [Link]
So how do you intend to get "most smaller sites" to update to CMS without this problem? And make sure nobody ever develops a new CMS with this problem?
I still think fixing one web browser sounds easier than fixing "a small number of major sites" and "most smaller sites".
Why is the server-side fix not sufficient?
Posted Dec 3, 2006 2:01 UTC (Sun) by gerv (guest, #3376) [Link]
"So how do you intend to get "most smaller sites" to update to CMS without this problem?"
In the same way they upgrade to get any other security fix?
"And make sure nobody ever develops a new CMS with this problem?"
How do you plan to make sure nobody ever develops a new web browser with this problem?
Gerv
Why is the server-side fix not sufficient?
Posted Dec 5, 2006 10:56 UTC (Tue) by walles (guest, #954) [Link]
The way "most smaller sites" apply security fixes is "not at all". Since it's my password that gets out that way, this isn't acceptable IMO.
I don't care if somebody develops a new web browser with this problem, since that wouldn't affect me.
As long as *I* keep using Firefox, I only care about getting Firefox fixed. If somebody else uses some other browser, it's up to them to worry about that browser's security issues.
Why is the server-side fix not sufficient?
Posted Dec 7, 2006 0:40 UTC (Thu) by gerv (guest, #3376) [Link]
> The way "most smaller sites" apply security fixes is "not at all".
Then they have bigger problems than input type="password". You worry about your password getting out; if they get hacked, every bit of information you've given them gets out, not just your password.
Either sort of fix would require security updates from someone. The server-side fix doesn't reduce the functionality of a useful browser feature; the client-side fix would.
Gerv
The Firefox password manager vulnerability
Posted Dec 3, 2006 4:34 UTC (Sun) by bluefoxicy (guest, #25366) [Link]
I've been meaning to implement this hack for months; gather a hundred or so passwords; devise a fix; and ship the whole shebang to MySpace and (sans-passwords) BugTraq. Never got around to it though...
Good show. I'm glad to see the first real-world occurrence was benign; it'd be just awful if someone had gathered user ID/password pairs and used the unattributed but often correct assumption that they're going to be the same for Amazon/Ebay/etc.
The Firefox password manager vulnerability
Posted Dec 3, 2006 5:17 UTC (Sun) by bluefoxicy (guest, #25366) [Link]
For transparency's sake, a Slashdot comment on my would-be version. Not quite identical (I was thinking automating the password send with JavaScript), but worked off the browser-fills-in-the-password theory.
No I'm not trying to take credit; I hadn't dreamed it could be solved by a password manager change, or considered vanilla phishing, or user-triggered non-javascript buttoneering, or any of that.
The Firefox password manager vulnerability
Posted Oct 14, 2008 23:07 UTC (Tue) by techhelp (guest, #54694) [Link]
Firefox seems to have this problem with some sites that require a password to log in. There is a very good thread on it at net tech guide (Firefox password problems) Hope this helps