Cenzic 232 Patent
Paid Advertising
web application security lab

Programmatic Password Theft Is Back

The title of this post was going to be “we weren’t slashdotted again” but I thought that was just a little too sarcastic. Yesterday Slashdot ran an article on password theft via XSS. If this looks familiar it’s because it is. We have been talking about this for a few months here and here. I’m not bitter, but the information on slashdot is incorrect. The first example of this was actually built in a lab environment nearly two years ago and we’ve been talking about this since August. But who’s counting?

That’s the annoying news. The good news is that apparently Firefox has now decided it’s a problem (I guess it isn’t a problem when I say it but it is when Myspace gets attacked with it… go figure). The real problem here is that this isn’t a Firefox only issue. This is indicative of many types of password/form managers, and not just a single browser. So while they can protect their customers from this issue they can’t protect their customers from other third party tools that do the same.

So yes, old news, but new that Firefox has filed a bug on it. I wish I had better news, but I don’t think id would like it too much if we got slashdotted again. We’ve had enough server woes over the last few weeks, we don’t need any more. :)

4 Responses to “Programmatic Password Theft Is Back”

  1. RSnake Says:

    Go Secunia go! They revised their advisory (I didn’t even ask them to): http://secunia.com/advisories/23046/

  2. pagvac Says:

    After having read about this issue and also having experimented with it, I realized that although Robert Chapin deserves credit for documenting this issue to the public, RSnake mentioned this first in August 2006, and therefore should be credited as the discoverer.

    RSnake, why didn’t you send your comments on this issue to bugtraq or FD? If you did, then ignore my question :-)

    I guess that a nice real attack walk through and a post to the security maillists would have made a big difference in both, crediting the author and obtaining media coverage.

    I sent a post to FD titled “RCSR fun: stealing FF passwords the easy way” which talk about this issue and also includes an attack walk through along with a PoC. I’m sorry I didn’t credit you RSnake, but instead I only mentioned Robert Chapin, who I still think deverses credit for documenting the issue so nicely.

  3. Stefan Esser Says:

    Sorry to disappoint you but this “news” was already covered in Web Application Security Talks in 2005. The behavious afaik is also described in a german PHP security book from 2005…

  4. RSnake Says:

    pagvac - don’t worry about it, I wasn’t that annoyed, I promise. I rarely post to bugtraq or full disclosure anymore about anything. I know it’s a way to reach a wider audience, but I hate dealing with the backlash by people who either don’t get it or don’t care. I figure that most of the people who care about web application security already know about my website.

    Stefan - I wouldn’t say I’m exactly disappointed, however, we had a working prototype in a lab in 2004, which still pre-dates that reference, but we never published it because it had a fairly limited usefulness without XSS, which had next to zero interest in the hacker community back then (this site didn’t even exist back then). But I will admit I never saw those two references you mentioned (I don’t read German).

    Anyway, like I said, I wasn’t that upset… the only thing I cared about was that Firefox suddenly took it seriously way after it was disclosed originally instead of reacting immediately. Alas!