Stealing client passwords from Firefox Password Manager

Follow me on twitter!

 After I've attended the Jeremiah Grossman's talk at blackhat and saw the bug I've reported last year, I was thrilled to see the bug being exploited in a nice way!
I got to admit, that when I spoke to a friend and told him about this bug, he told me that he did a research on the exact same subject [not on a browser specific though]. He deserves credit of-course, His name is Adi Sharabani and the paper is called "Active MiTM attacks".
Originally posted the following at Mozilla Firefox's Bugzilla in 2009:
"I've found a bug in the design of the password manager of Firefox.
This affects *any* Firefox version so far that has password keeper.

Entering to a website allows the password manager to fill in the
credentials of username/password and other privacy related details.
Typical example :

If a malicious user creates a copy of that url and spoof it with DNS
poisoning or MiTM, the login credentials fill in immediately but the
page doesn't submit.
 
However, as a malicious user creates this page, he also controls the content!
So let's add to the crafted page the following lines :
[This is a page I've created using copying twitter.com/login source
(without even trying to fix the design) :]

But wait, it fills the same credentials for the faked page as-well! Let's add
the 4 lines to the bottom of the fake page and walla :

That itself, is not the threat. Because in MiTM if the password wouldn't have sent to encrypted server,
you would have gotten it anyway, the threat is of-course, that we can force Firefox to send out
credentials to pages you haven't even tried to log on to on a hostile wifi :)
If we do a simple script in evil.com that identifies the referrer of the
request using the referrer field in HTTP POST Request we can do
iteration over every website that can store credentials on non-encrypted pages that contain the forms :

In log_creds.py :
document.location=nextsite;
if list is over, and all the username/passwords for linkedin,twitter,facebook,...,  are stolen you can leave the user alone and let him actually surf the net.
Like I wrote, stealing those credentials can be made even on websites the user didn't even intend of going into on a hostile wifi (using 0sized iframe)."

Defcon Presentation

Follow me on twitter!

 

Here are the presentation for ARM Exploitation that was given in Defcon (minus the pictures of myself at 3AM and those funny pictures) : DEFCON18 - ARM Exploitation Presentation
Also, The updated whitepaper for ARM Exploitation can be found here : DEFCON18 - ARM Exploitation White Paper.


On a personal note : I'd like to say that DEFCON18 was awesome! and Thanks for coming to my presentation!
The picture is only of less than 2/3 of the crowd because I couldn't picture all in one shot! It was wicked!

So you can find yourself, inhere :

Defcon presentation

Hold on, I didn't put the picture online... come back in 2 hours after the talk and see yourself screaming "owned".


Will be releasing 1-2 Firefox bugs here soon...
Cya in few hours...