Just a quick note to make you aware of a serious password vulnerability in Firefox 2.0.0.5. Over the weekend, Secunia, in its Full Disclosure mailing list, announced this vulnerability. The vulnerability revolves around Firefox’s password management feature. Of course, because it is convenient, a lot of people use this. It just allows Firefox to retain usernames and passwords for various websites. Well, it seems that there is a javascript exploit that will allow malicious websites to grab those usernames and passwords.
Heise Security has a working demonstration of the exploit. Go and try it. The easiest way to stop this exploit is to disable javascript from within Firefox. I would recommend that you do so until they come up with a fix for it.
An easier and less inconvenient solution would be to simply remember your passwords. It’s not that hard.
No, it’s not much of an exploit. Look at the source. Firefox populates the same exact fields IF it’s on the same domain. This “exploit” just allows it to populate those fields (they have the same names, and they’re on the same domain as the ones you submitted earlier), then reads the result. It would work with any browser that has this feature. It’s not an exploit at all. Just a website trying to scare people.