Firefox 2.0 Password Manager Bug

Mozilla today made bug #360493 public. It describes an attack using cross-site forms and a security flaw in the Firefox Password Manager to read stored passwords for a different site. There is a proof of concept that demonstrates that the bug can even be abused without any hint to the user – the form need not be visible for the auto-fill of the credentials to work, and Firefox does not even give a warning.

The type of attack has been coined a Reverse Cross-Site Request (RCSR).

As of the time of this post, there is no fix available. However, a possible workaround is to set a Master Password and use the Master Password Timeout extension with a very short timeout. One can also disable the password manager altogether.

The bug existed since at least Firefox 1.5. Also, similar bugs seem to exist in at least IE 6 and 7, but Microsoft say they’re working on a fix.