[Vincent]

Hi there!

I just stumbled accross some news about password and user data saving in Firefox. It seems that Firefox doesn't question to which location it's sending its saved user data if saved in the Firefox password manager.

Does anyone know if that problem applies to Omniweb, too?

Thanks.
Vincent

[FredH]

As I understand it, OmniWeb uses the Apple keychain, Firefox doesn't

[JKT]

That doesn't matter. OmniWeb still inputs usernames and passwords automatically, it just happens to take them from the Keychain whereas Firefox uses its own password manager. The exploit doesn't care where the username and password is pulled from, it only cares that they are inputted.

However, from the test site that they posted OmniWeb wasn't vulnerable to the exploit using my preferences. However, that isn't to say that it is invulnerable - it could be due to the way I have things set up relative to a default install. I'd wait to see what OmniGroup has to say.

[Vincent]

:mad: Hi there.

In the meantime Heise Online set up a webpage to test the possibility for password fishing. My Omniweb fell for it and I don't quite know how to configure it right other than don't using saved passwords.

Here's the page. Let's hope there will be an update soon. I understand, that Safari has no more security problems if you're installing and usig the lates Saft update.

[FredH]

Where is the test page or pages you guys are talking about?

[mjuengling]

Here's the german test page, the only I know. Maybe there's an englisch page too, but I don't know it.

For me OW fails the test, so I've turned off any saving of user names and passwords. Although for FF and Seamonkey. All of them are failing the test.
The latest Apple security update doesn't change anything.

So I prefer to stop all storing of my user data until there will be a fix of the problem.

[dteare]

Quote:

Originally Posted by FredH

Where is the test page or pages you guys are talking about?

I created my own test page that shows how to steal Safari's passwords.

Safari (and I assume OW too) are smarter than Firefox and will not autofill input fields that are hidden using display:none; CSS. The original exploit used this CSS to hide the fields and Firefox happily filled them.

I changed the exploit to use width:0px; instead, and Safari happily filled it.

Again, the real crime here is that the forms are filled without any interaction from me. This is why it is so dangerous; not only for MySpace users but consider Blogger, Vox, or any other site that allows users to 'own' a subdomain.

[pheski]

Quote:

Originally Posted by JKT

snip...snip...

However, from the test site that they posted OmniWeb wasn't vulnerable to the exploit using my preferences. However, that isn't to say that it is invulnerable - it could be due to the way I have things set up relative to a default install. I'd wait to see what OmniGroup has to say.

I just tested OW and it failed the test.

I played with OW preferences a bit and have not found anything in OW preferences that seems to make a difference.

It would be useful if you could identify what it is about your set-up that protects you.

Peter

[JKT]

Quote:

Originally Posted by pheski

It would be useful if you could identify what it is about your set-up that protects you.

Hi, just tested it again and my set-up fails the test now. I mustn't have done the "correct" thing the first time around, or they tweaked the code of the page.