back to article Malware forces Firefox to save passwords

Miscreants have developed a strain of malware that makes sure website passwords are recorded by a victim's browser. Saving website logic credentials is a user controlled option in all browsers, often enabled by default. But the practice is frowned upon by security researchers, who point to the risk that passwords left in …


This topic is closed for new posts.
  1. Chemist

    I don't imagine this should affect Linux...

    Certainly on my (default) FF installation all the .js files of this type are only root writable

  2. Michael Habel
    Jobs Horns


    There will be a Patch for that.

    1. lucmars


      I fear that the best patch would be to remove this handy but stupid fonctionnality.

  3. MyHeadIsSpinning

    java script?

    .js ? Java script? Oh, well I have NoScript and AdBlocker Plus; so I'll be alright then. Don't be thinking I'll accept lso's either, I purge them upon shutting down FireFox with another add on, Better Privacy.

    1. corrodedmonkee


      No, you really aren't. You never get the option to choose if those run or not. They are internal browser functions.

  4. Anonymous Coward


    TRWTF is a browser half written in javascript

    Oh well, at least Firefox is completely secure and bulletproof and stuff. Like everyone used to keep saying.

  5. Anonymous Coward

    Jumped ship

    I don't use Firefox anymore, as I found ad blocking and bookmark syncing add-on functionality (as well as more safety due to lack of market penetration).


    sent from my Opera.

  6. Chris Gray 1

    Linux, NoScript

    Note that things like NoScript and NoFlash seem to be written in Javascript. If you turn off Javascript they don't operate at all.

    Note also that you have at least 2 user-writeable .js files in ~/.mozilla/firefox/<funny-name>/ One, "prefs.js" is clearly run on startup. What happens if malware figures out how to write that file? You can probably make it non-writeable, but any config changes (such as turning Javascript on or off!) will need to rewrite the file.

    It is also my impression that much of the configuration interface of Firefox is written in Javascript. That implies that Firefox will run internal Javascript even if you have disabled Javascript.

    1. This post has been deleted by its author

    2. Chemist

      "What happens if malware figures out how to write that file"

      You may as well ask that of ANY file that has your permissions. The global .js files on Linux are protected.

      1. Simon Brady

        To be fair, not just Linux

        > The global .js files on Linux are protected.

        So are the global .js files on Windows, unless the user runs with Admin rights. Yes, I know lots of users do, but "I'm safe because I don't run as root" is different from "I'm safe because I run <insert OS here>".

        1. Chemist

          @ Simon Brady

          So how is nsLoginManagerPrompter.js modified under Windows - is it only people running as admin ? The article doesn't make it clear. Sorry it's a few years since I messed with Windows.

          1. Simon Brady

            @ Chemist

            > So how is nsLoginManagerPrompter.js modified under Windows - is it

            > only people running as admin ? The article doesn't make it clear.

            Well firefox.exe runs as the logged-in user, and by default unprivileged users only have read/exec privs on the Program Files directory tree. So short of finding some sneaky way to subvert a privileged service (Windows equivalent of daemon), it's hard to see how this could work without admin rights.

            The more interesting part of question - which neither El Reg nor Webroot answer - is how FF is tricked into modifying this file even if the user does have write access to it. Presumably it's not an arbitrary file overwrite vuln or the trojan would be doing much worse mischief. I can't find any relevant mention of nsLoginManagerPrompter.js on, so I guess either the Mozilla team are quietly fixing this or the whole thing is bogus.

          2. Phil101

            It's A Trojan

            It masquerades as something else that the user actually wants and which needs installing as admin. Pwned.

      2. Ammaross Danan
        Big Brother


        Certainly. I'm more concerned about virii that rename regedit.exe and the like, and put themselves in its place and simply do their "make sure the computer is still infected" game then continue you on to the exe you were actually looking for....

        That a virii tells FF to save your passwords (a noticable thing, albeit subtile) isn't as concerning (see "transparent" virii type above, coupled with a keylogger).

        1. Maty

          wtf is 'virii'?

          It's not the Latin plural of 'virus' (because 'virus' in Latin is an uncountable noun and has no plural).

          It's not the English plural which is 'viruses'.

          It's apparently not even a plural, since you are using it with an indefinite article.

          Perhaps its a subtle hint that I really should not read Reg reader comments before I've had my morning coffee.

          1. Noons

            maybe "viri"?

            That would still be wrong, but at least would show some measure of consistency, unlike "virii" which is just plain stupid (and I admit, quite annoying). I wonder if people who get infected by "virii" also travel on double-decker "bii" or even "omnibii"...

      3. dave 46


        Running as user is safer than running as root - thank for the advice, wtf has it to with linux btw?

  7. Doug

    Before the infection ?

    How do you actually get 'infected', is there a working demo online where I can get infected by clicking on a URL ?

    > "Before the infection, a default installation of Firefox 3.6.10 would prompt the user after the user clicks the Log In button on a Web page, asking whether he or she wants to save the password," Webroot researcher Andrew Brandt explains. "After the infection, the browser simply saves all login credentials locally, and doesn’t prompt the user."

  8. cosmo the enlightened
    Thumb Down

    Well, well, well

    The sneaky bar stewards.

    Can you imagine, a JavaScript that creates an security issue on a web browser.

  9. This post has been deleted by its author

  10. Anonymous Coward

    What you get for not practicing safe computing.

    Hint: use two accounts, one limited. Use the admin account only to install stuff and the limited account for everyday use. That usually keeps 90% of nasties out.

    And before you whine about applications that requires administrative abilities, there's always "run as".

    Tux. Because Linux forces safe computing onto you.

    1. Anonymous Coward

      I think...

      that having .85% of Net users operating safely is phenomenal.

      And, only "letting in" 10% of "nasties" is just marvelous.

      Faux_root to the rescue.

      Linux - because .85% of net exposure limits vulnerability.

      Except for those distros that refuse to provide Firefox updates in a timely fashion who also have "branded" Firefox, supposing that more important than providing timely updates. Devs too busy working on the important stuff like "shaky" windows and the like.

      Love that Slack!

      1. Not That Andrew

        @ Anonymous Coward who doesn't think...

        The post you were replying to was pointing out that you can and should always run Windows as a limited user and if you do so Windows is effectively as secure as any other OS. Why Windows doesn't create limited user accounts by default is another story.

        1. KarlTh


          ...and it's worth unpacking. One answer is "Redmond Stupid". But that's not, I think, actually it. Look at the corporate offerings - domains are expected to be the norm, and the only accounts which are automatically in the Administrators group are Administrator and Domain Admins. Not all the domain user accounts. Yes, lots of places stick Domain Users or (God help us) "Authenticated Users" into the group, but that's because they're run by lazy idiots. Leave the defaults set by MS, and domain users will only have standard user rights and permissions.

          Home machines are really the issue, and there it's historical. XP Home may have evolved from NT4.0 Workstation, but it replaced Win 9x/ME, which did not have this concept of computer administrators and users, evolving ultimately from a single user isolated computer OS model - MS-DOS. Microsoft have, I think, been too scared to force the concept onto the great unwashed. Therefore the installer creates one account by default, and it's an administrator. This gives the user the access he was "used" to under older OSes, without confusing him with the concept of multiple accounts (most home user PCs log in automatically and have no password on the one account anyway).

          From what I know of Microsoft, there's probably been a battle on at Redmond ever since 2001, between the engineers wanting Windows to create two accounts, insist on a password for the Administrator account, and recommending the user use the limited user account, and the marketing people insisting this was too complicated and would lose them market share - of course, the latter group is aided and abetted by application developers who actually write stuff that expects write access to HKLM, %programfiles% and %allusersprofile% just to run. Corporate shops can fix these stupid apps; home users usually can't. Nevertheless, these are getting fewer and I find very few people compain now when I set them up securely.

        2. Robert Carnegie Silver badge

          I'm not sure if this is the answer, but

          I thought Windows has kept you away from administrative access from Vista onwards. Having said that - I too am still using XP.

          1. Anonymous Coward

            Warning: This article contains bullshit ...

            ... because executing malware directly with your computer is always compromising your system, especially if that malware contains a keylogger. That's not related to Firefox only.

            I am totally surprised about all the comments so far made here.

  11. This post has been deleted by its author

This topic is closed for new posts.

Other stories you might like