New Trick to get Browsers to Expose Passwords
Posted on July 25, 2007, under Web Dev/Tech.
CyberNet News wrote a post titled “Firefox Password Manager Exposes Passwords - Most Secure Browser?” which talks about a new phishing technique.
Essentially, if you use a password manager like the one in FireFox, which auto-fills the username and password fields in a form, you are susceptible to attack. Once the form is auto-populated, a web site can use JavaScript to grab the credentials out of the form. If you read the details, you understand that the attack can only happen on the same domain, but think about how many web sites that attack could happen on - Blogger (Google account info), MySpace, etc. The article gives three possible solutions, including not using the password manager and turning off JavaScript.
The third option was to use a browser extension called Secure Login. The Secure Login extension acts as hooks into Firefox’s Password Manager. All the credentials are still handled by Firefox, but Secure Login will prevent usernames/passwords from being auto-populated in a form. It will give you visual cues that it can fill in the form, and then you must initiate the populating of the fields. That gives you a stop-gap in case you don’t want the form to be auto-populated right away. I’ve used it for a day, and the extension works pretty well.
User comments in the article said Opera has had this feature built in for awhile, and suggested using Opera instead. While its great to see Opera was ahead of the game, I personally haven’t been able to get comfortable enough with Opera yet to consider a switch. It just doesn’t feel natural to me for some reason when I’m surfing.
If you happen to be like me, and use Firefox and its password manager, take a look a the Secure Login extension to help prevent this new phishing technique.