Open Source Subnet An independent Open Source community View more

Firefox lets hackers grab your passwords

Black Hat researcher will demonstrate how to scrape Firefox passwords with Cross Site Scripting malware.

Better delete your passwords from Firefox's Password Manager before next week's Black Hat security conference in Las Vegas. That's when Jeremiah Grossman will present a demo showcasing how Javascript can be used to collect passwords from Firefox. He'll also show how to grab other personal data from IE 6 and IE 7.

His demo will involve getting passwords out of Firefox's Password Manager using "nothing but garden variety Cross-Site Scripting (XSS)," says Grossman, who is founder and CTO of WhiteHat Security and is a co-founder of the Web Application Security Consortium. Execution requires tricking Firefox users into visiting a site hosting the XSS malware, but how hard is that?

As for IE, Grossman will also show attendees of his session how to mine the autocomplete function in IE 6 or 7 to scrape users' first name, last name, aliases, e-mail addresses, physical address, etc.

None of these vulnerabilities are new but that doesn't stop the black hats from using them.

Interestingly, Microsoft promises that IE 8 is less susceptible to XSS than earlier versions of IE or other browsers. But, ironically, it was a demo at Black Hat EU that demonstrated how to use IE 8's XSS filter to actually implement an XSS attack that would have been difficult to pull off without it. By April, Microsoft had issued a total of three patches to fix the XSS holes in IE 8. Grossman doesn't name IE8 among the browsers he plans to use to demo Javascript attacks.

As for the beloved open source Firefox browser, there are a couple of fixes users can take right away. This would be wise to do before every Web application hacker in the nation gets a first-hand demo. One is to simply delete your passwords. The other is to download a Mozilla-approved Firefox add-on such as LastPass Password Manager. Be forewarned, users on the LastPass site say that it crashes Firefox 3.6.6 a lot, particularly on Windows 7.

Alternatively, take the passwords out of the browser altogether and use an open source password manager like KeePass (pictured below, click to enlarge image.) However, KeePass is geared toward Windows users, working natively on just about every Windows operating system out there. But it requires Wine for the free "Classic edition" or "Mono" for the commercial edition. Linux users needing a cross platform password manager will likely want the Linux port, known as KeePassX. This one supports MacOS, too.

Updated July 22:  Per the comment from Bill H. below, I found the link to the security updates for Firefox 3.6.7 pushed out on July 20. Several of them discuss fixing vulnerabilities pertaining to Cross Site Scripting (they use the acro CSS on the Mozilla page), though none of the release notes actually mention fixing the hole that allows hackers to grab passwords. Presumably, if the browser is blocking XSS, it will protect against the script that snatches passwords.

I still think it's not a bad idea to use a third-party tool for password protection.

Here's the list of fixes, courtesy of Mozilla  in the security update for 3.6.7. About two dozen other security fixes were pushed out for other 3.6x versions of Firefox as well.

Fixed in Firefox 3.6.7

MFSA 2010-47 Cross-origin data leakage from script filename in error messagesMFSA 2010-46 Cross-domain data theft using CSSMFSA 2010-45 Multiple location bar spoofing vulnerabilitiesMFSA 2010-44 Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanishMFSA 2010-43 Same-origin bypass using canvas contextMFSA 2010-42 Cross-origin data disclosure via Web Workers and importScriptsMFSA 2010-41 Remote code execution using malformed PNG imageMFSA 2010-40 nsTreeSelection dangling pointer remote code execution vulnerabilityMFSA 2010-39 nsCSSValue::Array index integer overflowMFSA 2010-38 Arbitrary code execution using SJOW and fast native functionMFSA 2010-37 Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerabilityMFSA 2010-36 Use-after-free error in NodeIteratorMFSA 2010-35 DOM attribute cloning remote code execution vulnerabilityMFSA 2010-34 Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11)   

Like this? Here's more:

Follow Julie Bort on Twitter @Julie188

Follow all Open Source Subnet blog posts on Twitter @OSSubnet

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies