DevX News

Using Mozilla Firefox's built-in Password Manager to keep track of your browser's passwords? It makes site logins faster but it also could help malicious sites steal your passwords.

The bug, which has been known to Mozilla for at least 10 days, remains unpatched and exploits as well as a proof of concept exist in the wild.

"I was shocked today to find an in-the-wild phish that uses nothing more than cross-site forms, and also extracts information from the Password Manger!" Security Researcher Robert Chapin wrote in a November 12th e-mail posted in the bugzilla bug tracking system.

"The underlying method was so obvious that it should have raised multiple warnings," Chapin continued. "There were none at all."

The flaw allows a maliciously crafted page to auto-fill a form with credentials intended for another site. Apparently, there is no warning in Firefox 2.0 or previous versions that the credentials are being pulled for the wrong site and submitted to a third party.

Details of the flaw first became public this week. Mozilla developers do not yet have a fix.

"Since this bug is an in-the-wild attack we're not protecting anyone by hiding the details anyway," Mozilla developer Daniel Veditz wrote in a bugzilla entry. "Up to now, browser makes have focused on user convenience and assumed sites with valuable passwords would be well-written. But they have bugs just like we have bugs so we might have to be more defensive."

Solutions? Surf carefully. Or just don't use the feature until a fix comes out. Security outfit (FriST) recommends that users disable the "Remember passwords for sites" feature in the Options menu.

Closer ties for Mozilla, Linux programmers

Programmers from Red Hat, Novell and the Mozilla Foundation have pledged closer cooperation to ease technical obstacles that exist today, work planned to result in versions of the Firefox browser tailored for different versions of Linux.

The browser on Linux is currently in a sad state of affairs," said Red Hat's Chris Aillon on his blog Monday, complaining that different versions of Linux incorporate different variations of the browser source code and that the generic version released by Mozilla won't run on newer Linux versions such as Fedora Core 6, released in October.

Likewise, Mozilla programmer Mike Connor said on his blog, "Historically, there has been a great deal of tension between mozilla.org and the Linux distros ("distributions" such as Fedora, Debian, Ubuntu or OpenSuse), notably over maintenance of branches, divergence between distros, and lack of sustained communication between the groups."

Connor, Aillon and Robert O'Callahan from Novell sat down with others at the Firefox Summit to figure out what should be done. The programmers agreed on a more formal code-sharing relationship and assigned responsibilities for maintaining Linux-related code.

"The big change is that the distros, Red Hat, Ubuntu, Novell, etc. will now have much more say over what happens with the Linux bits," Aillon said. And Connor said Mozilla will encourage use of distribution-specific versions of Firefox by pointing to those versions from its download page.

"It is hoped that the proposed changes will drive a stronger and more balanced partnership among Mozilla contributors and enable the Linux community to work more closely with the Mozilla community. More importantly, we believe this will drive a bigger focus on creating a better Linux user experience for everyone," Connor said.