XSS demo for stealing passwords from the Firefox password manager

Check it out here:
http://ha.ckers.org/weird/xss-password-manager.html

NoScript seems to block this easily. Just tested Prevx SafeOnline and it fails. To be honest, I don't think anything can block this except for NoScript (or similar).

secure login seems block it. https://addons.mozilla.org/en-US/firefox/addon/4429/

Thanks guys for this useful information, yes secure login does block it and it also seems very useful because you don't have to retype in your pass word again when you revisit, and because many sites now require script to be able to view them properly, you just need to allow access to saved passwords in the Sandboxie settings if you are using sandboxie. I have added
secure login to my sig and arsenal.

make sure to also right click on the key and select activate java script protection at login, it should help protect it even more. And if you mod a setting in firefox config you can use it to remember passwords in sites that don't let you normally.

arran wrote:...and because many sites now require script to be able to view them properly...

You'd still have to white-list the (malicious) script in the first place to have your password stolen? And there's no reason to white-list this unknown (malicious) script - it wouldn't be required to view a web-site properly.

Take this example:
1. You allow (white-list) gmail.com in your NoScript.
2. You log into your Gmail account.
3. You save your password in the Firefox password manager.

So how can a malicious script run in the first place on gmail.com? It could only run if you specifically white-listed it. As far as you're concerned, you would only need gmail.com to be allowed to run, and not eg. imgoingtohackyou.com.

Regardless, there probably are theoretical methods to bypass NoScript (however rare they may be). The best protection therefore (in this context) is to not use Firefox's password manager! I personally don't use it (and have never used it).