The Firefox Extension Guru’s Blog

Wednesday, December 20, 2006

Update: Firefox Password Manager Vulnerability Part 2

Filed under: Firefox, Fx 1.5, Fx 2.0, Fx 3.0, Tips & Tweaks — El Guru @ 10:29 PM

Note: If you have not done so already read the previous post: Update: Firefox Password Manager Vulnerability.

Now, I did some testing in Firefox 1.5.0.9 as well as 3.0a1 and the results were well surprising:

  • Firefox 1.5.0.9 ~ Same vulnerability exists but doing the tweak in the about:config as described in the previous post fixes this.
  • Firefox 3.0a1 ~ Same vulnerability exists as well. However there is no about:config entry for signon.prefillForms. So I decided I would add the entry to about:config and perform the test. The results were not good, Firefox 3.0a1 failed the test. Actually, I am not surprised by this since there has been a lot of “declaration” changes in both about:config and the userChrome.css with this version of Firefox. Since Firefox 3 is still in early development I am not really worried about this.

Update: Firefox Password Manager Vulnerability

Filed under: Blogs, Firefox, Fx 2.0, Mozilla News, Tips & Tweaks — El Guru @ 10:13 PM

With Firefox 2.0.0.1 being released yesterday, many folks have been asking has this fixed the the Firefox Password Manager Vulnerability. The short answer is NO. However, there is a simple fix via an about:config tweak that will protect you until this is fixed in the 2.0.0.2 release next month. In order to get 2.0.0.1 with all its fixes out in a timely manner this fix was pushed back to the next release. Before you do this tweak take a look at this demonstration site, it will show you exactly how the vulnerability works. Be sure to visit the site again to test your browser after you have completed the tweak below:

  1. In a new tab type about:config in the address bar and press enter (or click go)
  2. In the filter filed copy and paste signon.prefillForms
  3. Double click the entry to change the value to false
  4. Close the tab

What this tweak does is when you come to a login page, Firefox will not automatically pre-fill with your saved user name and password. Instead as you start to type in your user name, a drop down will appear. Select the correct user name and the password will pre-fill from there.

Also see: Update: Firefox Password Manager Vulnerability Part 2

Source: mozillaZine Firefox Builds

Blog at WordPress.com.