A very disturbing Firefox security flaw!!!!

hmm. i don't tend to store passwords in any browser- but just to be sure i don't inadvertently do so, i disabled that feature. thanks for the warning.

 

I use Mozilla rather than Firefox so I'm going to give this a good read before I make a decision. I sure don't want to use Safari as my default browser.

 

I just don't ever save passwords or logins for anything that has to do with my finances or personal info. If you let the computer remember them, what happens when your computer crashes, or if you ever clear out the passwords? It also means that whoever can physically get on your computer will be able to access all that secure info wth no effort.

 

<div class='quotetop'>QUOTE(Godiva @ Nov 22 2006, 06:15 PM) [snapback]353210[/snapback]</div>

I thought Mozilla and Firefox were the same thing....Mozilla FirefoX....boy , do I feel stupid now.

 

<div class='quotetop'>QUOTE(Schmika @ Nov 22 2006, 08:30 PM) [snapback]353304[/snapback]</div>

Mozilla.org makes Firefox, Thunderbird and a number of other applications. They also make something called the Mozilla suite. My browser's icon is a blue square with a big white "M". Firefox's icon is a circle with a fox chasing it's tail. I don't think they are the same browser and I'm not sure what the differences are.

If you look on the Mozilla downloads page you'll see Firefox, Thunderbird and Mozilla.

Click Mozilla and you'll get this:

Mozilla suite
" Web-browser, advanced e-mail and newsgroup client, IRC chat client, and HTML editing made simple -- all your Internet needs in one application."

The Mozilla Suite is what the old Netscape Navigator suite used to be.

 

I never store critical passwords on the computer. I store passwords that are not critical: If someone gets onto my computer and gets my PriusChat log-on, the worst they could do is post in my name, or if they get my CU password they could read articles on the web site. But my bank password, no way!

 

I just set a master password for Firefox - then before sending out any password info, it makes you type your master password into firefox first.

It'll do as a temporary fix until they issue a patch (likely really quickly).

It's also important to note that even with this flaw, Firefox will still only send the passwords if the hidden form being submitted is ON the authorized website - it's unlikely any legit sites (banks and the like) would purposefully put hidden forms on their servers to steal your passwords.

It's more of an issue on "myspace"-type sites because users can post their own code on there and because it's all under the same domain, it can trick the browser into authenticating on the wrong path. For commercial sites where users can't post their own pages, it's pretty-much a non-issue unless someone at the site wants to steal a password from you.

Dave

 

have to go with Presto and others here. it is EXTREMELY unwise to use any kind of password manager for financial sites or any other sites that have payment information or a billing history with you (wireless, cable, credit cards, etc) and the reason why is PHYSICAL security.

anyone who has physical access to your computer can access these sites by simply clicking on a saved link?? that is tremendously foolish. if your computer was stolen or more commonly, sold by yourself and you forgot to remove or didnt remove all traces of personal information (this happens way more often than one would think!!)

i have a Mac laptop with links to all my financial services (do not access any of these financial sites from a windows based computer EVER and the Mac has multiple layers of security including a bootup password. but even with that security, i never allow it to save passwords.

the only thing Firefox saves on my password screen is basic stuff. need log-ins for everything. i have mine for my e-mail (doesnt work, i am required to re log in every 7 days or so...) and a multitude of other sites like yahoo, my space, Priuschat, engadget, and a handful of newspaper sites. thankfully half of the above sites now track passwords with cookies so dont even need them anymore but cookies dont last forever.

 

I restrict my browser to non financial passwords and usernames.

Because all my computing is on a notebook, I find a paper trail (although the best) to be too inconvenient, so I have my passwords in a program not widely known, and the single microsoft app on my drive is very rarely used, and shut down as soon as I am finished with it.

For a while I had all my passwords on an external USB key drive attached to my keychain, but the Prius smart key scuttled that approach, since my keys now live somewhere at the bottom of my pack.

All in all, if I can have my passwords encrypted on a Macintosh, and a master password REQUIRED EVERY TIME I REQUEST A SECONDARY PASSWORD, I'd feel OK about security.

 

What's a financial password?

Over here, banks use challenge/response tokens, not passwords. You get a calculator (some banks have you insert your bank card into the calculator, some banks deliver unique calculators, each with a personal key built in). To get into your account, activate the calculator with a PIN, enter the challenge digits from the website login screen on the calculator and enter the calculator response in your browser.

So you can only get in with something you know (the PIN) AND something you have (the unique calculator and/or bank card).

It's not 100% safe, but better than just a password...

 

i have challenges for my work log-ins that require me to answer a series of randomly selected personal questions. security is important as it should be in any professional environment.

passwords in conjunction with usernames are used when accessing financial sites from the internet.

 

My computer can go a month if not longer between shut-downs, and my browser is active the entire time. So a master password doesn't strike me as much security. Even if I turned off the browser between sessions, malware could simply hang out and wait for me to unlock the master, and then query FFx with a rather short list of financial institutions.

 

well i just got a message that AVG has released a new version 7.5 of their anti-virus suite. had to reboot for that. also have to reboot for misc window updates, which speaking of, i get a message every day to download a security update for macromedia which never seems to be successful. any one else have this issue?

 

I wish they'd do tokens or OTP schemes in the US like they're
starting to roll out in EU. american financial institutions have
no freakin' *clue* how to do security anywhere near right, and
simply stonewall any attempts to bring them up to speed on how.
.
_H*

 

Put me in the category of those who never allow passwords that matter be saved by my browser. It just doesn't make any sense. For forums I always say yes. For things involving my money -- no way.