Thursday, July 26, 2007

Password Vulnerability in Firefox and Safari

The latest versions of Firefox and Safari contain a password management security flaw that could allow certain websites to access stored usernames and passwords.A message on the Full Disclosure mailing list warned that users who have either browser configured to remember passwords, and have JavaScript enabled, are at risk.

Mozilla fixed a similar reverse cross-site scripting flaw in Firefox last November, but this was a lot more serious as it did not require JavaScript to be enabled.

Heise Security has a demonstration of the vulnerability on its website to allow users to determine whether they are vulnerable to the attack.

However, some developers and commentators have questioned whether this constitutes a vulnerability in the browser, as it requires the attacker to place malicious code on the web server.

If an attacker can place script code on a server, they would be able to manipulate the pages anyway, and would have other ways to steal user access data.

Until a fix is released, users are urged to disable JavaScript in their browser or avoid the use of the password manager on sites where users are allowed to post JavaScript pages.

Source |

To disable Java Script in Firefox, go to Tools > Options > Content and untick the Enable Javascript checkbox

To disable Java Script in Safari, go to Preferences > Security > and untick the Enable Javascript checkbox