Home > Blogs > Firefox 3 - Still possible to steal user credentials....

Firefox 3 - Still possible to steal user credentials....

By  Jun 19, 2008

Topics: Web Development, Security

The Password Manager in Firefox is still broken. Using a bit of Javascript, it is relatively easy to steal a victims user/pass right out from under their noses. All it takes is a bit of XSS and a you can not only grab the user/pass, but you can also change the forms action value to one of your own - or just location.href the results to another site, and use the referrer to bounce back to the original site.

I would have thought this would have been fixed by now, but I guess not! So, until you hear otherwise, don't use the Password Manager.


Sample login page
http://airscanner.com/security/07080103_minimo.2/login.php

Sample PoC page
http://airscanner.com/security/07080103_minimo.2/poc.htm