XSS demo for stealing passwords from the Firefox password manager

View previous topic View next topic Go down

XSS demo for stealing passwords from the Firefox password manager

Post by ssj100 on 1/8/2010, 07:02

Check it out here:
http://ha.ckers.org/weird/xss-password-manager.html

NoScript seems to block this easily. Just tested Prevx SafeOnline and it fails. To be honest, I don't think anything can block this except for NoScript (or similar).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: XSS demo for stealing passwords from the Firefox password manager

Post by languy99 on 1/8/2010, 07:51

avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: XSS demo for stealing passwords from the Firefox password manager

Post by arran on 1/8/2010, 10:25

Thanks guys for this useful information, yes secure login does block it and it also seems very useful because you don't have to retype in your pass word again when you revisit, and because many sites now require script to be able to view them properly, you just need to allow access to saved passwords in the Sandboxie settings if you are using sandboxie. I have added
secure login to my sig and arsenal.
avatar
arran
Member
Member

Posts : 41
Join date : 2010-05-09

View user profile

Back to top Go down

Re: XSS demo for stealing passwords from the Firefox password manager

Post by languy99 on 1/8/2010, 10:29

make sure to also right click on the key and select activate java script protection at login, it should help protect it even more. And if you mod a setting in firefox config you can use it to remember passwords in sites that don't let you normally.
avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: XSS demo for stealing passwords from the Firefox password manager

Post by ssj100 on 1/8/2010, 16:27

arran wrote:...and because many sites now require script to be able to view them properly...

You'd still have to white-list the (malicious) script in the first place to have your password stolen? And there's no reason to white-list this unknown (malicious) script - it wouldn't be required to view a web-site properly.

Take this example:
1. You allow (white-list) gmail.com in your NoScript.
2. You log into your Gmail account.
3. You save your password in the Firefox password manager.

So how can a malicious script run in the first place on gmail.com? It could only run if you specifically white-listed it. As far as you're concerned, you would only need gmail.com to be allowed to run, and not eg. imgoingtohackyou.com.

Regardless, there probably are theoretical methods to bypass NoScript (however rare they may be). The best protection therefore (in this context) is to not use Firefox's password manager! I personally don't use it (and have never used it).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: XSS demo for stealing passwords from the Firefox password manager

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum