Dynaverse.net
Off Topic => Engineering => Topic started by: Nemesis on July 24, 2007, 09:56:06 pm
-
Link to full article (http://www.linux.com/feature/118166)
According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw.
Apparently the password can only be stolen for the site that the javascript is on. It can't steal all passwords.
-
So the site can steal the password only for people who sign up for that site -- which begs the question, shouldn't they already have the username and password?
-
So the site can steal the password only for people who sign up for that site -- which begs the question, shouldn't they already have the username and password?
No, not if they are spoofing another site, like a bank or some other place that deals with other peoples money. Granted, it's a remote chance that something like that could happen but... *shrugs*
-
Ah, they'll get a fix out fairly quickly.
-
So the site can steal the password only for people who sign up for that site -- which begs the question, shouldn't they already have the username and password?
Some sites also apparently allow members to add javascript to their own pages. Those pages could grab the site password.