|Follow me on twitter!|
I got to admit, that when I spoke to a friend and told him about this bug, he told me that he did a research on the exact same subject [not on a browser specific though]. He deserves credit of-course, His name is Adi Sharabani and the paper is called "Active MiTM attacks".
Originally posted the following at Mozilla Firefox's Bugzilla in 2009:
"I've found a bug in the design of the password manager of Firefox.
This affects *any* Firefox version so far that has password keeper.
Entering to a website allows the password manager to fill in the
credentials of username/password and other privacy related details.
Typical example :
If a malicious user creates a copy of that url and spoof it with DNS
poisoning or MiTM, the login credentials fill in immediately but the
page doesn't submit.
However, as a malicious user creates this page, he also controls the content!
So let's add to the crafted page the following lines :
[This is a page I've created using copying twitter.com/login source
(without even trying to fix the design) :]
But wait, it fills the same credentials for the faked page as-well! Let's add
the 4 lines to the bottom of the fake page and walla :
That itself, is not the threat. Because in MiTM if the password wouldn't have sent to encrypted server,
you would have gotten it anyway, the threat is of-course, that we can force Firefox to send out
credentials to pages you haven't even tried to log on to on a hostile wifi :)
If we do a simple script in evil.com that identifies the referrer of the
request using the referrer field in HTTP POST Request we can do
iteration over every website that can store credentials on non-encrypted pages that contain the forms :
In log_creds.py :
if list is over, and all the username/passwords for linkedin,twitter,facebook,..., are stolen you can leave the user alone and let him actually surf the net.
Like I wrote, stealing those credentials can be made even on websites the user didn't even intend of going into on a hostile wifi (using 0sized iframe)."