Firefox 2/IE7: Beware Of Using Password Manager

[seec77 0]

I might be missing something big here, but from the way I see it, miCRoSCoPiC^eaRthLinG is spreading lots of FUD!

Phishing is a long known phenomenon that involves crafting a fake website to look like a legitimate website and thus lure (or "fish") naive users into logging in with sensitive information, such as credentials or billing information, to the hacker's server, thus basically giving him away your bank account or whatever else.

 

Let me expand on this concept with an example. Imagine you have an account over at Neopets. For those who don't know, NP is a virtual pet site, where you can raise your pet and collect money and items. Say you have been slaving over this account for ages, accumulating vast amounts of "neopoints" (the site's fictional currency) and other valuable items, and training your "neopet" in various activities. Now, say some immature kid is trying to deceive you into letting him access your account. He will create a page that looks exactly like the Neopets login page, and give you the link to it, but when you log in it actually sends your password over to his computer, which he can then use to steal your account.

 

There are many ways to "phish" users to a fake page. Many include tricks and psychological games that will only work on computer users who are not very tech-savvy. Obviously, browsers can not defend against this phenomenon in 100%, because how can a browser know if a page is legitimate or fake? Maybe Cross-site scripting can be found by a piece of software, but that's just one of many methods of phishing. This is not a "bug" in Fx or IE, because it is the user's naivity that leads to ingenuousness that leads to the vulnerability that these types of attacks cause.

 

Apart from the fact that you really can't blame the browsers for these problems, Firefox 2 and Internet Explorer 7 both feature phishing protection in the form of validating websites against a list of known harmful pages (Fx actually gets its list from the all-mighty Google). So don't go denouncing any browser for their "vulnerability" to phishing! Oh, and by the way, for all you Opera zealots: Opera will only feature fraud protection in version 9.1 which hasn't been released yet, and it will be turned off by default.

 

Maybe I wrote this whole post just because I didn't understand something in this topic, but from what I can see a lot of critical information has been missing here!! Sorry.

[Arbitrary 0]

@seec77, I think miCRoSCoPiC^eaRthLinG's point was that because of the way Firefox/IE7 was designed, when you do visit one of those phishing sites that try to steal your password, they can directly access your password manager the minute they ask you to fill out a form. So basically it's like you go to that fake Neopet's site, attempt to login with your username and password, and then your Neopet's username and password along with all usernames and passwords stored in your password manager are sent to the phisher. Browsers in this case can be blamed since it's their password managers that the vulnerable ones. If they somehow changed the architecture of their password manager, then maybe people would feel safer using them.Anyways, I guess I'm now kind of scared, so maybe I'll start deleting my passwords from my password manager now. And I'm seriously beginning to doubt the Gmail Manager. I mean, sure, it looks great and all, but maybe it'd be smarter just to download the prestigious Google's manager.

[miCRoSCoPiC^eaRthLinG 0]

Let me expand on this concept with an example. Imagine you have an account over at Neopets. For those who don't know, NP is a virtual pet site, where you can raise your pet and collect money and items. Say you have been slaving over this account for ages, accumulating vast amounts of "neopoints" (the site's fictional currency) and other valuable items, and training your "neopet" in various activities. Now, say some immature kid is trying to deceive you into letting him access your account. He will create a page that looks exactly like the Neopets login page, and give you the link to it, but when you log in it actually sends your password over to his computer, which he can then use to steal your account.

 

Now let me explain a little bit on how this Password Manager vulnerability compares to common phishing attacks. What you've stated is the most common mode of phishing - that someone creates a popular site lookalike BUT usually at a different similar sounding URL and then tricks the users into following that url, thus revealing their login credentials.

 

However, this exploit can happen over VALID URLs and hence even careful users might fall into the trap. Here's an example --> A lot of the popular Social Networking sites have started offering you human-readable links to the member profiles, rather than the cryptic php variable based dynamic URLs. Currently MySpace, Hi5 etc. all offer you such links.

 

Example:

MySpace: https://myspace.com/browser

Hi5: http://www.hi5.com/microscopic-earthling

 

Comapred to this earlier on the links took the form: social

 

While the new URLs are clearly legible and easy to remember, they've opened up a new avenue of exploit.

 

As I said, earlier on a phisher would have to trick an user into following to the phishing URL - but since the domain name would be different, Password Managers wouldn't pop-up on their own and/or offer to fill the forms.

 

The browser pass managers essentially rely on the Domain Name + Form Elements combo to fill the pages. You might have noticed that if the name of a certain form element (say login/password inputboxes) change on a page - the password managers won't be able to fill them up properly.

 

Anyway, supposing the login page for MySpace is:

https://myspace.com/browser

 

With the new Profile URL scheme, I can easily create a profile that looks like:

https://myspace.com/browser

... and install an exact copy of the myspace login form there instead of my profile and then make it redirect to my own database for storing the username/passes.

 

Since the DOMAIN is the same and so are the FORM ELEMENTS, the Password Managers are fooled into believing that they've reached the valid login page and this fills up the form without thinking twice. Come to think of it - this approach can even fool careful users, who might not notice that the "." before html was replaced by a "_".

 

The whole point of this panic is that the pass managers don't validate the URLs properly before form fill-up - for some reason the coding for form-fillup is extremely loose & sloppy. It's really funny - why none of the coders ever thought of this before !! It's quite an evident validation issue. Hopefully it'll be rectified soon

 

And hope that explains why this isn't a baseless issue of FUD and why people should think twice before using the existing pass managers - till the fixes are released.

 

Cheers,

m^e

[Quatrux 4]

But as I know, say on Opera I can choose to use the password and login for entire domain or just for that file/url/address accessed, so that means domain.net/login.html and login.domains.net will be different, even if the address changed to domain.net/login_x.html But if you choose to use the same login information for entire domain, when it will only check for the form input names and stuff.. But I usually browse services I trust and never did get this kind of password, but whats the difference if the login will be made automatically with password manager or manually with hand, you will still send the password if you didn't see that the login page is actually not login.html but login_x.html ... As I know the password manager only works on Opera when you click CTRL+Enter and on Firefox only when you push submit button with chosen automatic logins, it is just easier for you and you don't need to waste time entering the same username and password again.. :F

[seec77 0]

Alright, so I figured out in my earlier post that I probably had something misunderstood about the topic, and now I understand it was true, so sorry about my long rant!@m^e: You forgot to mention XSS, which I think can also trick your password manager into giving out your credentials to fishing sites! But I can definitely see the problem now with password managers. I still think that's it a bit of FUD, though, that you made users on these sites untrustful of IE and Fx.I think that Opera's method, as Quatrux said, of having to press Ctrl+Enter for the password manager to do its thing is smart. Besides from that, it is missing a phising protector, unlike Fx and IE.

[Melanova 0]

the real lesson is dont be lazy and use password managers for passwords that are vital. You wouldnt write the password down on your desk, or in a text folder, so why have the computer remember.

[Kardus 0]

I honestly don't use the password manager...I feel it compromises security too much. If 'wasting' 1-3 seconds typing in your password is too much work, I don't know what's anyones problem. Technology is great, but something as trivial as this are making people lazy. Nothing is more safe than your brain.

[Quatrux 4]

I think that Opera's method, as Quatrux said, of having to press Ctrl+Enter for the password manager to do its thing is smart. Besides from that, it is missing a phising protector, unlike Fx and IE.

I don't think I used FF or IE password managers, so when you visit a site the password manager logs you in automatically? what if I don't want to login or something? But still, when I browse with FF or IE when filling the form like my username is quatrux, I just press q and it offers me to paste quatrux, when I just push the tab button and it inserts my password, only when I press enter or the submit button by myself.. Or I just don't get something about it? What is the difference if you write it down with your hand on a "bad" site login page, or the browser will?

[seec77 0]

I don't think I used FF or IE password managers, so when you visit a site the password manager logs you in automatically? what if I don't want to login or something? But still, when I browse with FF or IE when filling the form like my username is quatrux, I just press q and it offers me to paste quatrux, when I just push the tab button and it inserts my password, only when I press enter or the submit button by myself.. Or I just don't get something about it? What is the difference if you write it down with your hand on a "bad" site login page, or the browser will?

Well, from what I've understood, Opera pastes the username/password only if you press a key combination of Ctrl+Enter. On Firefox, the moment that you browse to a site it finds in its password manager, the login fields get automatically filled out. You have to do the final act of logging in by yourself, though. If you have numeral users in your password manager, you will have to fill out the username field yourself, and it will fill in the password automatically for entries it recognizes.

[HellFire121 0]

I use the opera password manager for some of the sites that i don't care if i lose my password or i need a quick login. The password is encrypted and you can choose if you want to save the password for just that page, the whole server or never. It's a handy feature and in my opinion opera's version is pretty secure. I've never had any passwords leaked or hacked plus you can set a master password each time you want to access the password manager/fill out a login form.-HellFire

[Quatrux 4]

Well, from what I've understood, Opera pastes the username/password only if you press a key combination of Ctrl+Enter. On Firefox, the moment that you browse to a site it finds in its password manager, the login fields get automatically filled out. You have to do the final act of logging in by yourself, though. If you have numeral users in your password manager, you will have to fill out the username field yourself, and it will fill in the password automatically for entries it recognizes.

So if you have to do the final submission to login, so I don't see why password managers are bad!

Say you got to a page which wants to steal your password as been said, not ../login.html but ../login_x.html, you don't see it, you write the username and password yourself and push the login/submit button, your password is taken by someone, whola!

a password manager, just fills the form with your username and password, you do the same, push the submit/login button and whola, your password is taken.

The only difference is that using a password manager is much faster, you and only you yourself need to know where you login and it is not a password manager fault, it is just a program written for you to make your life easier, more simple.

[Arbitrary 0]

So if you have to do the final submission to login, so I don't see why password managers are bad!

But let's say you visit a site that doesn't have good intentions (aka a phishing site) and they decide to get the passwords from your password manager. If the browser were secure, then these sites should be unable to retrieve your password. However, if the browser were poorly designed, then the site might be able to get a list of your passwords when you submit a form on the site.

That's why password managers are problems--they leave all your passwords out in the open instead of just one if you get tricked to visit and fill out a form at a phishing site. Ex: Let's say there's a phishing site built similar to Gmail. You go there, thinking it is Gmail and fill out your Gmail username and password. If the password manager was secure, you'd only be giving the phishing site your Google username and password. However, if the password manager was insecure, you'd not only be giving away your Google username and password, you'd also give away all other usernames and passwords inside your password manager. Which makes the problem a lot worse.

EDIT: Does anyone here know if the Gmail manager is a secure extension? I've been using that for quite some time and it has proved to be very useful for me. However, I'm not sure if I should continue using it because of its security. It is, after all, run by a third party, and one can never figure out their intentions. I'm inclined to say it has positive intentions, but I'll never know....
Edited December 8, 2006 by Arbitrary (see edit history)

[beatgammit 0]

I never use any kind of password remembering software or write anything down. For every website I go to, I can either reset my password or have them send it to me. I don't want to risk getting my passwords stolen, but I have taken measures to reduce the effects of them getting my password. I use about 6 or so different passwords, so if I loose one, I don't loose security in everything I do online. I live with a couple of roommates, and they swear by the password remembering thing. I can't stand this, because if they don't type it in every time, they will not remember it. They are limited in their passwords because they do not use them everyday. They would be left rather helpless if they had to use somebody else's computer because they wouldn't know their passwords. This is why I use a variety of passwords and do not write them down or have any programs store this information. I don't trust Microsoft (that is what I use mostly)

[Arbitrary 0]

I use about 6 or so different passwords, so if I loose one, I don't loose security in everything I do online.

I use several different passwords as well, but I tend to divide my passwords among the sites. For instance, if I find a site to be important, say my Gmail account, then I give it a secure password that I don't reuse. But if I find that I don't care about what I do on a site or that my identity is not at stake, then I just give it one of my regular passwords.
Also, after the recent switch away from password managers, I've discovered that it's a lot easier now to recall passwords when I'm away from my computer. Before whenever I was at school trying to log in to some account, I'd always forget the password and try digging through my email for it. But now, no such thing happens anymore. Ahh, the wonders of breaking away from a bad dependency. XD