Is Password Saving in Omniweb save?
 

Hi there!

I just stumbled accross some news about password and user data saving in Firefox. It seems that Firefox doesn't question to which location it's sending its saved user data if saved in the Firefox password manager.

Does anyone know if that problem applies to Omniweb, too?

Thanks.
Vincent

As I understand it, OmniWeb uses the Apple keychain, Firefox doesn't

That doesn't matter. OmniWeb still inputs usernames and passwords automatically, it just happens to take them from the Keychain whereas Firefox uses its own password manager. The exploit doesn't care where the username and password is pulled from, it only cares that they are inputted.

However, from the test site that they posted OmniWeb wasn't vulnerable to the exploit using my preferences. However, that isn't to say that it is invulnerable - it could be due to the way I have things set up relative to a default install. I'd wait to see what OmniGroup has to say.

Omniweb as vulnerable as Firefox!
 

:mad: Hi there.

In the meantime Heise Online set up a webpage to test the possibility for password fishing. My Omniweb fell for it and I don't quite know how to configure it right other than don't using saved passwords.

Here's the page. Let's hope there will be an update soon. I understand, that Safari has no more security problems if you're installing and usig the lates Saft update.

[QUOTE=JKT]snip...snip...

However, from the test site that they posted OmniWeb wasn't vulnerable to the exploit using my preferences. However, that isn't to say that it is invulnerable - it could be due to the way I have things set up relative to a default install. I'd wait to see what OmniGroup has to say.[/QUOTE]


I just tested OW and it failed the test.

I played with OW preferences a bit and have not found anything in OW preferences that seems to make a difference.

It would be useful if you could identify what it is about your set-up that protects you.

Peter

Where is the test page or pages you guys are talking about?

Here's the [URL="http://www.heise-security.co.uk/services/browsercheck/demos/moz/pass1.shtml"]german test page[/URL], the only I know. Maybe there's an englisch page too, but I don't know it.

For me OW fails the test, so I've turned off any saving of user names and passwords. Although for FF and Seamonkey. All of them are failing the test.
The latest Apple security update doesn't change anything.

So I prefer to stop all storing of my user data until there will be a fix of the problem.

In the meantime, I would recommend using [URL="http://1passwd.com/"]1passwd[/URL]

It's not free except for a limited version, but it's a very nice app and prevents that test page from displaying your data (I'm not affiliated in any way)

I guess I don't see what the problem is. According to the Heise test:
[i]Due to a lack of checking, a second, evil page on the same server could steal those saved passwords.[/i]

A lack of checking? When one chooses to save the password for that site, that's just what they're doing. By pressing the button one is saying "I want all pages on this site to have access to this l/p." If one is concerned that they may have an "evil page" on their site, they should click "Never for this website."

So I'm guessing they think that in case one page on the site is compromised, that could be an issue. Still, all the malicious user would have to do is have the data in the form submitted go to another site. Even if your browser didn't save passwords at all, this would still be an issue.

[QUOTE=pheski]It would be useful if you could identify what it is about your set-up that protects you.[/QUOTE]
Hi, just tested it again and my set-up fails the test now. I mustn't have done the "correct" thing the first time around, or they tweaked the code of the page.