Home > Blogs > Firefox 3 - Still possible to steal user credentials....

Firefox 3 - Still possible to steal user credentials....

By  Jun 19, 2008

Topics: Web Development, Security

The Password Manager in Firefox is still broken. Using a bit of Javascript, it is relatively easy to steal a victims user/pass right out from under their noses. All it takes is a bit of XSS and a you can not only grab the user/pass, but you can also change the forms action value to one of your own - or just location.href the results to another site, and use the referrer to bounce back to the original site.

I would have thought this would have been fixed by now, but I guess not! So, until you hear otherwise, don't use the Password Manager.

Sample login page

Sample PoC page

Become an InformIT Member

Take advantage of special member promotions, everyday discounts, quick access to saved content, and more! Join Today.