The title of this post was going to be “we weren’t slashdotted again” but I thought that was just a little too sarcastic. Yesterday Slashdot ran an article on password theft via XSS. If this looks familiar it’s because it is. We have been talking about this for a few months here and here. I’m not bitter, but the information on slashdot is incorrect. The first example of this was actually built in a lab environment nearly two years ago and we’ve been talking about this since August. But who’s counting?
That’s the annoying news. The good news is that apparently Firefox has now decided it’s a problem (I guess it isn’t a problem when I say it but it is when Myspace gets attacked with it… go figure). The real problem here is that this isn’t a Firefox only issue. This is indicative of many types of password/form managers, and not just a single browser. So while they can protect their customers from this issue they can’t protect their customers from other third party tools that do the same.
So yes, old news, but new that Firefox has filed a bug on it. I wish I had better news, but I don’t think id would like it too much if we got slashdotted again. We’ve had enough server woes over the last few weeks, we don’t need any more.