Quote of the Day

Wednesday, December 07, 2005

FireFox & Security

I've been a Firefox user for quit a while. I was one of those "who needs anything but Internet Explorer" people ever since IE jumped past Netscape with version 5. But when I finally (reluctantly) installed and tried Firefox I've been a big fan ever since.

However, tonight I learned about an unsettling "feature" that to me is MAJOR security hole. I had used a friends PC to log on and get my email, check my newsfeeds at newsgator, etc. when I was in California last week. Now, I don't remember answering "Yes" to save any passwords, but that's besides the point. He called me tonight and informed me there is an option under Security where you can actually "Show" the saved passwords and he just stumbled on it! He's not even a geek like I me so I was a little embarrassed to admit I didn't know about this.

But, my embarrassment was really overshadowed by my shock: No application should EVER allow a user to see passwords and it should absolutely not be the default setting if it does! Fortunatetly, this was a friends computer and not a public one. You can set a master password that protects this password list from prying eyes and I highly recommend you do this immediately if you are a Firefox user.

For all the talk about Windows and Internet Explorer having security flaws, to me, this hole in Firefox would be the easiest to exploit. I've never seen anything in Windows or IE that let's me actually view passwords!

This type of exploit is what is commonly referred to as "social engineering". For instance: an office that has a lot of Firefox users is open to a major compromise of user passwords by someone just walking cubicle to cubicle and writing this information down. In my opinion this "feature" should be taken out altogether. It's just an awful, horrible idea to ever be able to "show" a password unmasked. This is exactly the type of thing that scares me about "open source" software - who is accountable for this design flaw? Who are the shareholders? And why would a company ever assume that only 1 person uses a computer with their software?

I would be interested in hearing any feedback. Are you as shocked as I am to know about this?

1 comment:

Michael said...

Yeah, that's disturbing.

Apps shouldn't show passwords like that, they shouldn't even store the passwords in clear anywhere.

Best practice would be to store a verification string like a hash of the password and not the password at all.

As for the open source question, I'm not clear that anyone is responsible in any legal sense for open source software ... I guess you'd have to say it's a grey area.