On TechRepublic: The 5 worst tech products of 2009
BNET Business Network:
BNET
TechRepublic
ZDNet

December 15th, 2008

Major Web browsers fail password protection tests

Posted by Ryan Naraine @ 12:29 pm

Categories: Apple, Arbitrary Code Execution, Browsers, Data theft, Firefox, Google, Google Chrome, Mozilla, Passwords, Patch Watch, Phishing, Responsible disclosure, Vulnerability research

Tags: Password, Password Protection, Web Browser, Ryan Naraine

Chrome, Safari fail password protection testsThat nifty password management feature in your favorite Web browser could be helping identity thieves pilfer your personal data.

That’s the biggest takeaway from the results of this test which shows that all the major Web browsers — including IE, Firefox, Opera, Safari and Chrome — are vulnerable to a total of 20 vulnerabilities that could expose password-related information.  Among the problems are three in particular that, when combined, allow password thieves to take passwords without the user’s knowledge.  They are:

  1. The destination where passwords are sent is not checked.
  2. The location where passwords are requested is not checked.
  3. Invisible form elements can trigger password management.

Google’s shiny new Chrome browser was among the worst offenders.   According to the study,  Chrome’s password manager contains multiple unpatched issues that “form a toxic soup of potential vulnerabilities that can coalesce into broad insecurity.”

Apple’s Safari for Windows browser was also failed a majority of the tests (click image for full version):

Major Web browsers fail password protection tests

Technical details of the test, which was conducted by Chapin Information Services, can be found here.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 121 Talkback(s)
Wrong
I have one password I have never written down anywhere, and another I wrote down only once -- and then destroyed that paper.

It is possible! But it requires careful use of passphrases. A... (Read the rest)
Posted by: mejohnsn Posted on: 01/31/09 You are currently: a Guest | | Terms of Use
What about KDE Wallet?  Michael Kelly | 12/15/08
Probably about as safe as a real wallet.  Bozzer | 12/15/08
Not if its my wallet.  T1Oracle | 12/16/08
OK, Neo...  mgrimmvt | 12/19/08
laziness  stufftoget.vr | 12/17/08
I don't think it is about encryption  changlinn | 12/16/08
Look Blue... A Clue... A Clue!!!  i8thecat | 12/17/08
76 passwords and counting  pogson | 12/17/08
The LEAST secure passwords . . .  oldbaritone | 12/18/08
Wrong  mejohnsn | 01/31/09
Password Bank  NGENeer | 01/14/09
RE: Major Web browsers fail password protection tests  Lerianis | 12/15/08
Wow, Safari is really bad!  NonZealot | 12/15/08
NonZealot, again you proved to be an antagonist...  RicD_ | 12/15/08
But Apple takes "suck" to a new level  NonZealot | 12/15/08
By your reasoning so does Google.  DevJonny | 12/16/08
Well, Google Chrome does suck securitywise  gypkap@... | 12/16/08
And in other ways  GOTBO | 12/17/08
No you're thinking of Suckrosoft.  fr0thy2 | 12/16/08
What dimension is frothing at the mouth currently in? What's Suckrosoft?  transposeIT | 01/04/09
Chrome = Safari  Speednet | 12/16/08
Maybe so  Crestview | 12/17/08
What?!  Crestview | 12/17/08
Would have thought open source ones were much better  croberts | 12/15/08
You're saying this...  isulzer | 12/15/08
Not comparing it to others, comparing it to ideal  NonZealot | 12/15/08
How can OSS be better?  isulzer | 12/15/08
Why wait for the study?  NonZealot | 12/15/08
Considering...  914four | 12/16/08
Watch the fixes come. Guess which lumbering giant will be last?  fr0thy2 | 12/16/08
See the giant CAN move  Techref6060 | 12/18/08
FireFox 3.0.5  914four | 12/18/08
Erm, nope.  Bozzer | 12/15/08
poor analysis  akulkis | 12/17/08
Security through obscurity = Ignorance is bliss  InAction Man | 12/15/08
Uhh... Firefox had the top score for passed test... nt  T1Oracle | 12/16/08
Kind of like being the tallest midget...  derek.werkowitz@... | 12/16/08
Kinda like...  914four | 12/16/08
LOL (nt)  Speednet | 12/16/08
What I am saying  croberts | 12/15/08
That's not really fair...  914four | 12/16/08
Vista Beta  GAXXIS | 12/16/08
Most operating systems  akulkis | 12/17/08
got a source  rtk | 12/17/08
I believe...  914four | 12/18/08
Then the world's industrial manufacturing facilities are in danger then...  transposeIT | 01/04/09
I totally agree to this...  Pharaoh36706 | 12/16/08
Not Weighted Equally  daengbo | 12/16/08
Corrupt software writing  BALTHOR | 12/15/08
No, lazy users..  arminw | 12/16/08
Interesting... I never thought about it but my bank dosn't allow me...  Breetai | 12/16/08
Conspiracy Theorists of the World, UNITE!  In the State of (Dis)Enchantment | 12/16/08
How meaningful are these tests?  CowLauncher | 12/15/08
Inverse relationship between leeriness and the results you want  NonZealot | 12/15/08
Indeed,  Bozzer | 12/15/08
Exactly!  CowLauncher | 12/16/08
not very  coreyb42 | 12/15/08
More than welcome to try.  Bozzer | 12/15/08
Same here  superhobo | 12/16/08
Opera FTW again!!!1one!!one!1  Scrat | 12/15/08
RE: Major Web browsers fail password protection tests  JerryMerfeld | 12/15/08
ie8?  zenwalker | 12/16/08
doh!  magallanes | 12/16/08
RE: Major Web browsers fail password protection tests  bob gee | 12/16/08
Just another reason NOT to put any personal info on your computer.  sleepin'dawg | 12/16/08
RE: Major Web browsers fail password protection tests  gogalthorp | 12/16/08
RE: Major Web browsers fail password protection tests  winegirl | 12/16/08
Help me understand......  jrobcet | 12/16/08
lazyness, among other things.  richard233 | 12/16/08
RE: Major Web browsers fail password protection tests  daboogiemansass@... | 12/16/08
Symantec's paycheck  ZenTigerpaw | 12/16/08
Of course they didn't  ejhonda | 12/16/08
Idiot users  johnnydoe1894 | 12/16/08
(bad) Technology pressure  alf@... | 12/16/08
so...i am an idiot  ryan.macintosh@... | 12/16/08
I use something to remember my passwords:  tikigawd | 12/16/08
Security???  n0oeg | 12/16/08
OS irrelevant  balaknair | 12/16/08
Re: OS irrelevant  n0oeg | 12/16/08
RE: Major Web browsers fail password protection tests  jamesm@... | 12/16/08
So much for Security through Obscurity  Breetai | 12/16/08
Security is a misnomer  checkingher | 12/16/08
RE: Major Web browsers fail password protection tests  donnie126_2002@... | 12/16/08
RE: Major Web browsers fail password protection tests  donnie126_2002@... | 12/16/08
RE: Major Web browsers fail password protection tests  geneven | 12/16/08
well... not with Iron Key  Pharaoh36706 | 12/16/08
RE: Major Web browsers fail password protection tests  geneven | 12/16/08
RE: Major Web browsers fail password protection tests  geneven | 12/16/08
Idiot users  geneven | 12/16/08
AMEN!  CodeCurmudgeon | 12/16/08
How about...  LeeC | 12/17/08
Fake forum information  geneven | 12/16/08
RE: Major Web browsers fail password protection tests  johnw23@... | 12/16/08
RE: Major Web browsers fail password protection tests  CodeCurmudgeon | 12/16/08
RE: Major Web browsers fail password protection tests  cosmicfoole@... | 12/16/08
Which is why I don't trust ANY of the browsers, instead....  dinosaur_z | 12/16/08
RE: Major Web browsers fail password protection tests  kduffy@... | 12/16/08
You can prevent this flaw by doing this  ralphrides | 12/16/08
Apple Safari Windows  bishofthedump | 12/16/08
RE: Major Web browsers fail password protection tests  tentmaker_oz | 12/16/08
IE7 password stealing flaw  tentmaker_oz | 12/16/08
RE: Major Web browsers fail password protection tests  cfrobw | 12/16/08
RE: Major Web browsers fail password protection tests  kash78 | 12/16/08
O'Rly?  pico_D | 12/16/08
Quite right  philip.lane@... | 12/17/08
You must be mad....  GOTBO | 12/17/08
RE: Major Web browsers fail password protection tests  Sir_bobbyuk | 12/17/08
RE: Major Web browsers fail password protection tests  Sir_bobbyuk | 12/17/08
RE: Major Web browsers fail password protection tests  atari8bit@... | 12/17/08
RE: Major Web browsers fail password protection tests  rcdavis@... | 12/17/08
RE: Major Web browsers fail password protection tests  quasilou | 12/17/08
Mr. Naraine, kudos for a succinct, objective report.  ksheppard@... | 12/17/08
RE: Major Web browsers fail password protection tests  stephenprose@... | 12/17/08
RE: Major Web browsers fail password protection tests  jonbee | 12/17/08
I'm putting money on  Crestview | 12/17/08
I'm putting money on  schmandel@... | 12/18/08
Everyone hates Microsoft  bbonis@... | 12/18/08
Interesting question  jackbond | 12/19/08
RE: Major Web browsers fail password protection tests  bbonis@... | 12/18/08
Maybe not but...  Techref6060 | 12/18/08
RE: Major Web browsers fail password protection tests  Bilmekanikeren | 12/20/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here