His demo will involve getting passwords out of Firefox's Password Manager using "nothing but garden variety Cross-Site Scripting (XSS)," says Grossman, who is founder and CTO of WhiteHat Security and is a co-founder of the Web Application Security Consortium. Execution requires tricking Firefox users into visiting a site hosting the XSS malware, but how hard is that?
As for IE, Grossman will also show attendees of his session how to mine the autocomplete function in IE 6 or 7 to scrape users' first name, last name, aliases, e-mail addresses, physical address, etc.
None of these vulnerabilities are new but that doesn't stop the black hats from using them.
As for the beloved open source Firefox browser, there are a couple of fixes users can take right away. This would be wise to do before every Web application hacker in the nation gets a first-hand demo. One is to simply delete your passwords. The other is to download a Mozilla-approved Firefox add-on such as LastPass Password Manager. Be forewarned, users on the LastPass site say that it crashes Firefox 3.6.6 a lot, particularly on Windows 7.
Alternatively, take the passwords out of the browser altogether and use an open source password manager like KeePass (pictured below, click to enlarge image.) However, KeePass is geared toward Windows users, working natively on just about every Windows operating system out there. But it requires Wine for the free "Classic edition" or "Mono" for the commercial edition. Linux users needing a cross platform password manager will likely want the Linux port, known as KeePassX. This one supports MacOS, too.
Updated July 22: Per the comment from Bill H. below, I found the link to the security updates for Firefox 3.6.7 pushed out on July 20. Several of them discuss fixing vulnerabilities pertaining to Cross Site Scripting (they use the acro CSS on the Mozilla page), though none of the release notes actually mention fixing the hole that allows hackers to grab passwords. Presumably, if the browser is blocking XSS, it will protect against the script that snatches passwords.
I still think it's not a bad idea to use a third-party tool for password protection.
MFSA 2010-47 Cross-origin data leakage from script filename in error messages
MFSA 2010-46 Cross-domain data theft using CSS
MFSA 2010-45 Multiple location bar spoofing vulnerabilities
MFSA 2010-44 Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanish
MFSA 2010-43 Same-origin bypass using canvas context
MFSA 2010-42 Cross-origin data disclosure via Web Workers and importScripts
MFSA 2010-41 Remote code execution using malformed PNG image
MFSA 2010-40 nsTreeSelection dangling pointer remote code execution vulnerability
MFSA 2010-39 nsCSSValue::Array index integer overflow
MFSA 2010-38 Arbitrary code execution using SJOW and fast native function
MFSA 2010-37 Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability
MFSA 2010-36 Use-after-free error in NodeIterator
MFSA 2010-35 DOM attribute cloning remote code execution vulnerability
MFSA 2010-34 Miscellaneous memory safety hazards (rv:188.8.131.52/ 184.108.40.206)
Like this? Here's more:
- All of today's open source news and blogs
- Qbo wants to be the Model T of Robots
- The Open source legal maze: an open trap?
- Extreme CRM Makeover, Open Source Edition - Episode 2, Sweet is Sugar
- Security expert releases Ubuntu Linux distro for malware analysis
- Open Source Business Models Become More Attractive
- Marten Mickos says the cloud won't kill open source
- Subscribe to all Open Source Subnet bloggers.
Follow Julie Bort on Twitter @Julie188
Follow all Open Source Subnet blog posts on Twitter @OSSubnet
The Source Seeker blog is written by Julie Bort, editor of the Open Source Subnet site as well as the Microsoft Subnet, Cisco Subnet sites. Indeed, Bort is the Online Community Editor for all of Network World. She also writes The Microsoft Update blog. If you have an idea for a blog, or a news tip on open source, Microsoft or Cisco, contact her at firstname.lastname@example.org, 970-482-6454 or follow Julie on Twitter @Julie188.
Open Source Subnet is the independent voice of open source users and is your gateway to daily open source news, blogs, tips and more. Visit the Open Source Subnet home page daily.