Researcher: Chrome, Safari password managers need work
Google's Chrome and Apple's Safari browsers could do a better job of protecting passwords, according to a security researcher who released a study of browser password managers Friday.
"Safari and Chrome are essentially tied for the worst password manager built into a major Web browser," said Robert Chapin, president of Chapin Information Services, in his report, which looked at the types of security checks browsers used to make sure that they were sending username and password information to legitimate Web sites instead of clever hackers.
Two years ago Chapin reported a widely publicized password manager flaw in the Firefox browser, rated critical by Mozilla developers. The bug was used by attackers on the MySpace.com Web site who had set up a fake login page to steal account information from users of the social-networking site.
Firefox has now done a lot to improve its password manager, but all of these products are still far from perfect, Chapin said in an interview. "Should everyone put 100 percent implicit trust in every password manager?" he asked. "Not at all."
One problem is that today's password managers can be tricked into submitting different password credentials to different parts of the same Web site. That's what hackers did with the MySpace attack, posting a fake password entry form on a MySpace page. Because both the fake and real login forms were on the myspace.com domain, browsers like Firefox could be tricked into automatically sending login information to the fraudsters. That bug has been fixed in Firefox now, but Chrome and Safari are still vulnerable to similar attacks.
Another problem is that browsers will send passwords meant for one domain, Google.com for example, to another domain -- say Myspace.com -- without warning the user, he said. That's because browser makers assume that the page asking for the password should be trusted, even if it is sending the password to another domain, he said.
Chapin says he uses the Opera password manager because it does a better job of letting him save passwords for specific Web pages. He has posted an online test where users can test the security of their own password managers.
Robert Hansen, CEO of Web security consultancy SecTheory, said that the security community has known for several years now that browser password managers are unsafe. This is mainly because the browsers themselves are vulnerable to so many different types of attack. "They aren't a great idea from a security perspective once they are integrated into the browser," he said via instant message. "The browser itself isn't designed to stop a large chunk of exploits that enable password manager theft. Without those exploits, password manager hacks wouldn't work."
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
On Twitter now
Brian Proffitt
Microsoft/Novell: Breaking Down the Coupon Numbers
Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal
Tom Henderson
Top Ten General Operating Systems Rants
pasmith
PS3 motion controller delayed; goes up against Project Natal
sjvn
Neolithic Windows security hole alive and well in Windows 7
claird
Perl source code comparison makes for good reading
mikelgan
Cell phones don't create stress or interrupt much
Sandra Henry-Stocker
How to: The Unix Interview
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
- Ubuntu advances: Why Ubuntu server installations will surge in 2010
- Social media marketing: How to make friends with benefits
- More...
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.







sounds bias to me
oh yea... we are firefox biased for sure