[Full-disclosure] Minimo .2 and more Firefox 188.8.131.52 Password Manager Vulnerabilites
- From: Seth Fogie <seth@xxxxxxxxxxxxxx>
- Date: Thu, 02 Aug 2007 13:30:28 -0400
Airscanner Mobile Security Advisory #07080102: Minimo <=.2 and Firefox
Minimo <=.2 and Firefox 184.108.40.206
Tested on Minimo .016 and .2 Windows Mobile Pocket PC 2005 and Firefox
220.127.116.11 Windows XP SP2
Mobile device running Windows Mobile Pocket PC or Firefox 18.104.22.168 on XP
Airscanner Mobile Security
01/10/2007 for Minimo .016 and 07/22/2007 for Minimo .2 (Windows Mobile)
and 08/02/2007 for Firefox 22.214.171.124
High - Disclosure of sensitive information
From the website: http://www.mozilla.org/projects/minimo/
Minimo uses Mozilla Technologies to produce a highly usable web browser
for advanced mobile devices. Features include:
* Fast access to your mobile content via Homebase start page
* Social Bookmarking
* Tab browsing
* RSS Support
* Proven security (TLS, SSL3)
* International support
* Cross platform capability
* Widget and Extension support
Minimo includes a password manager feature that allows users to store
user/password information of sites they visit. There are two ways this
feature can be abused. First, the action of any form can be changed
cross-site scripting (XSS)bug. Second, the form fields can be
automatically filled in without user interaction. As a result, a XSS bug
could allow an attacker to inject an invisible form into a victims
browser that could collect the user/pass without any interaction or
Note: The Password Manager bug is often misunderstood for how it work.
The reason is that there are numerous subtle variations on how the
username and password show up. The following highlights some of these:
1. If there is only one username stored in the password manager for the
specific, it will automatically show up in the username field. If there
is more than one username stored in the Password Manager, a user would
normally type in or select the specific username for the site, which
then allows Minimo/Firefox to fill in the password. As a result, an
attacker would have to know the username to successfully grab the
2. If the password field is named 'password' and there is only one
username associated with the site, the Password Manager will
automatically fill in both the user and password. This particular
version was noticed by
Similar Firefox bugs has been known about since mid-2006; however,
https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c44 indicates these
are supposedly resolved.
The details and vulnerable status of Minimo .2 and below is new.
Proof of Concept
The following webpage provides a link to two pages. The login.php page
is just a sample form that you can enter a user/pass into. Enter and
save some sample info and then click on the second poc.htm link. This
will open a page with a script inside that dynamically creates a framed
environment, one of which is essentially hidden (note: using
style:hidden will not work). In the hidden frame, the login.php page is
loaded, the action is changed, and the user/pass are tickled into the
form fields. You should see two popups - one with the changed form
action, and the other with the stored user & pass variables.
Don't use password manager.
Copyright (c) 2007 Airscanner Corp.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of Airscanner Corp. If you wish to reprint the whole or
any part of this alert in any other medium other than electronically,
please contact Airscanner Corp. for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use on an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: [Full-disclosure] L2TP packet genrator/Fuzzer?
- Next by Date: Re: [Full-disclosure] [Whitepaper SecNiche] Insecurities inImplementing Serialization in BISON
- Previous by thread: [Full-disclosure] L2TP packet genrator/Fuzzer?
- Next by thread: Re: [Full-disclosure] [Whitepaper SecNiche] Insecurities inImplementing Serialization in BISON