Firefox 2/IE7: Beware Of Using Password Manager

[miCRoSCoPiC^eaRthLinG 0]

Those who are using Firefox 2 or IE7 might be at a risk of loosing their login credentials to various sites, if they're using the in-built Password Manager of either browsers. Apparently, Firefox 2 users are more at risk.

 

The basic concept is, phishers can utilise spoofed URLs belonging to the same domain for which you'd saved login information to capture your login credentials when you try to login again. Apparently, none of the browsers check for the validity of the URLs prior to filling up the forms on the page - thus disclosing your credentials to spoofed pages (and consequently to the phishers) as long as the URLs are under the same recognised domain.

 

Read more about this bug (??) ....

 

The latest versions of both Firefox and Internet Explorer are vulnerable to an unpatched flaw that allows hackers to snaffle users' login credentials via automated phishing attacks.

 

The information disclosure bug affects the password manager in Firefox 2.0 and its equivalent in IE7. Firefox's Password Manager, for example, fails to properly check URLs before filling in saved user credentials into web forms. As a result, hackers might be able to swipe users credentials via malicious forms in the same domain, providing users have already filled out forms on this domain.

 

Samples of attacks utilising the flaw have already been reported on MySpace. Firefox 2.0 users might be more at risk from the flaw because IE7 does not automatically fill in saved information. Security notification firm Secunia advises users to disable the "remember passwords for sites" option in their browsers pending the delivery of patches.

 

Source: http://www.theregister.co.uk/2006/11/23/fake_login_flaw/

 

As for me I never trusted the browser based password managers and have always been using this tool called AI Roboform over the past 2 years. Never gave me a chance to complain

[sujith 0]

Opera do not have any such problems it work flawlessly and efficiently.Both Internet Explorer 7 and Firefox 2.0 become vulnerable within weeks of their public release.As things get popular new security loop holes will be discovered, it is same for windows too.

[Markymark2 0]

LOL!!!

Yet another bug in Firefox hahahah when are people going to stop jumping on the Firefox bandwagon?

Get a decent browser FFS!!!



http://www.opera.com/

[xboxrulz1405241485 0]

Opera's not invisible either. I never use the password manager, I hate this technology btw.xboxrulz

[Quatrux 4]

I always use the Opera password manager, for me personally it is very useful. I am the only one who am using my computer and every time I visit a site I just push ctrl+enter and thats all, I get logged in into any of the sites I saved the password and it is so easy, you log in the for the first time and the browser ask you to remember or not now and you can choose for the entire domain or only for that page.. Moreover, if the site has two account, say usually like google, gmail, adsense, I just need to choose which username to use. For me it is one of the most useful tools in the browser. And I usually logout/signout from any site. :PI just don't like, for example, when I reinstall windows and the password manager again is empty, even though it was a long time ago.. I don't like to do all over again to save the session. But one bad thing about password managers is that it really is much easier to forget the username+password you're using. I have about 4-5 main passwords usually with the same username, but sometimes I just forget where which one I use, due to the password manager usage, that is why I am using the great program KeePass, to save all my passwords and of course if I ever have a computer failure, I have them somewhere on my notes :PThe bad things about having passwords on a note, you leave the paper on your desk or something like that and invite some friend to your house for a beer or something and usually they can see it if they will want to, that is why it is better to keep them in a save place.

[jimmy89 0]

Thanks for the tip! i have never trusted the built in password managers - as a matter of fact, i've never really trusted any type of password managers. You can never trust computers with confidential information like passwords and card numbers!

[toby 0]

I love this love for Opera. Theres only two or three places where I need it(because it logs me out, sessions), but I still store a lot in there.Though 9.00 and 9.01 weren't around for long, I went from 8.5-something to 9.02.

[CaptainRon 0]

hmm... this is scary! blog sites will be the worst affected domains. any site that lets you customize itself is at risk i guess.

[WeaponX 0]

I'm also not a fan of these browsers that have these password managers built-in. But I have actually used them recently due to the time it saves me having to remember all my usernames and passwords for sites I visit a lot.

 

I remember trying out AI Roboform as it's become very popular but it didn't support Opera. I didn't know it supported Firefox either (maybe just recently). Just did a search and see that they have the extension for it on their site. Switching back and forth on Opera and Firefox as I love both browsers

 

Firefox has an extension called SpoofStick but I don't think the author updated it to support more recent Firefox versions. Found another one called Petname Tool that will help users avoid those phishing/scam sites. This should users help weed out those suspicious looking sites.

[xboxrulz1405241485 0]

It's best to never write down passwords or even store them in your computer. It's best to commit it to memory.xboxrulz

[niran 0]

thanks for the info friend!

I never use those bult in password managers in IE and Firefox!

 

I used to go with AI Roboform https://www.roboform.com/

Its a rocking software, and its compatible with all those major browsers like:

IE, Firefox, Mozilla, Netscape 7, Netscape 8, SeaMonkey, Flock

 

Complete List of Supported and Not Supported Browsers

 

If browser is listed and the line does not say that it is not supported, then browser is supported.

If you do not see your favorite browser in this list, let us know.

 

4cvision

550access

Abolimba

Accutrade

Ace Explorer

Adorama Print Wizard

Advanced Browser

AM Browser

AOL browser

AOL client

AOL Explorer

Avant -- with RoboForm toolbar

Auction Sentry

Auction Tamer

Bay Office

BigOven

Bingooo

BroadPage

BT + Yahoo browser

Bubbles (IE mode)

Cayman Browser

Chaos !ntellect

Compuserve ver 6 or less -- supported

Compuserve ver 7 -- NOT supported

Copernic

Crazy Browser

DeepNet

Donut (JP)

DonutP

DonutQ

DX Browser

E2 by VNcom

EarthLink Browser

Enfish OneSpace

Enigma Browser

Explorer 2002

Expensable

Fast Browser

FastStone

Firefox -- Adapter required

Flock -- Adapter required

Front Page

Fun Browser

GoSurf

Grani

Green Browser

GuruNet FactFinder

Ideal Browser

IE Opera

Internet Explorer -- with RoboForm toolbar

Internet Surfer

iPostage

iRider

iTreeSurf

jBrowser

Juno

KIKI (JP)

KK Man

Kontiki

K-Meleon -- NOT supported

LunaScape (JP)

m9P Surfer

MaxThon -- with RoboForm toolbar

Medical Browser

Money (MS)

Moon Browser (JP)

Motive Browser

Mozilla -- Adapter required

MSN ver 6 to 9

MSN TV -- NOT supported

MusicMatch Jukebox

MyIE2 -- with RoboForm toolbar

MyWeb4Net

Napster

NeoPlanet

NetCaptor (with RoboForm toolbar)

Netscape ver 4 -- NOT suported

Netscape ver 7 -- Adapter required

NetSurf

Oligo

Opera -- NOT supported

Optimal Desktop

Outlook (MS)

Public Web Browser

Quicken (Pro)

QuickBooks

People PC

RealOne Player

Research Desk by Winferno

Paid Help

Paragon Last Minute

PC Health

PhaseOut

PSP 8 Register

SAP logon

Safari -- NOT supported

SBC + Yahoo browser

Secure IE

Sleipnir (IE mode)

Slim Browser -- with RoboForm toolbar

Smart Explorer

SnipeRight

SR Browser

SurfBoard by HP

Sweepstakes Online

Tablane

Tabrowser

TG Games

TenCent Browser

TextBrowser (JP)

Tiscali Browser

T-Online Browser

TurboSweeps

Ultra Browser

UltraRecall

unDonut (JP)

WalMart Connect

Wanadoo Browser

WebMA (KR)

WebMoney

WebSite Watcher

WebSpeedReader

Wichio

Windows Media Player

WinFerno

Wysigot

Yahoo Browser

Yahoo Music Engine

ZapTastic

 

 

But one sad news is, RoboForm does not work with the Opera browser.

 

It can, fill personal informatn into online forms, can Generate Secure Random Passwords, Encrypt passwords and personal data using powerful encryptn algorithms like, AES, Blowfish, RC6, 3-DES or 1-DES..

Using that you can Backup & Restore, Print your passwords! Using that you can autoSave passwords in browser, AutoFill passwords to login form!

And you don't need to enter any one character in the address bar to login to any of the website!

Just click the desired Roboform login account! That will open the desired address, and autofill the login forms, and will submit the forms!

[Alegis 0]

I do use the password manager, but stopped using addons such as gmail notifier for firefox (got the desktop one from google instead) as other addons would have been able to access my gmail login info then.Well. I'm not using virus scanner and the likes either as I know what I'm doing, which sites I visit - so I'm not panicking. They'll fix this soon enough. Eitherway I love the password manager.

[black shadow 0]

I don't think thats true, a lot of ppl use the FF password manager and nothing happened i ain't so sure about IE since it sucks you may lose your password but it's highly unlikely, maybe if you visit porn and warez type of sites that have all sorts of trojans and stuff.

[Saint_Michael 3]

Interesting little post, Lucky for me I can tell a fake from a legit site and I only save my passwords to very specific sites and what not.

[kgd2006 0]

Thanks for the tip micro, Im a firefox and IE7 user and I sometimes use the password manager now I am considering not to use it completely because of this post. Dont want to run the risk of having people making my life harder than it already is. thanks again for the helpful hint...