Must Read: Samsung Galaxy S4 review

Topic: Browser

Major Web browsers fail password protection tests

Summary: That nifty password management feature in your favorite Web browser could be helping identity thieves pilfer your personal data.That's the biggest takeaway from the results of this test which shows that all the major Web browsers -- including IE, Firefox, Opera, Safari and Chrome -- are vulnerable to a total of 20 vulnerabilities that could expose password-related information.

Ryan Naraine

By for Zero Day |

Chrome, Safari fail password protection testsThat nifty password management feature in your favorite Web browser could be helping identity thieves pilfer your personal data.

That's the biggest takeaway from the results of this test which shows that all the major Web browsers -- including IE, Firefox, Opera, Safari and Chrome -- are vulnerable to a total of 20 vulnerabilities that could expose password-related information.  Among the problems are three in particular that, when combined, allow password thieves to take passwords without the user's knowledge.  They are:

  1. The destination where passwords are sent is not checked.
  2. The location where passwords are requested is not checked.
  3. Invisible form elements can trigger password management.

Google's shiny new Chrome browser was among the worst offenders.   According to the study,  Chrome's password manager contains multiple unpatched issues that "form a toxic soup of potential vulnerabilities that can coalesce into broad insecurity."

Apple's Safari for Windows browser was also failed a majority of the tests (click image for full version):

Major Web browsers fail password protection tests

Technical details of the test, which was conducted by Chapin Information Services, can be found here.

Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

122 comments
Log in or register to join the discussion

  • What about KDE Wallet?

    Inquiring minds want to know.
    Michael Kelly
    Reply Vote

    • Probably about as safe as a real wallet.

      Which, given the right pickpocket, is not safe at all.
      Bozzer
      Reply Vote

      • Not if its my wallet.

        I know Jujitsu.

        Ok only a little bit...
        T1Oracle
        Reply Vote

        • OK, Neo...

          Show me. ;)
          mgrimmvt
          Reply Vote

      • laziness

        We love gadgets. How a bout using a U3 flash drive to store all your passwords in perhaps an excel format. Mine works, just takes 20seconds longer than the browsers.
        stufftoget.vr
        Reply Vote

    • I don't think it is about encryption

      KDE wallet just encrypts the passwords and associates them with usernames and a sites domain name, like the plugins for FF, and the default (which isn't turned on the master password setting).
      Looks like these issues are more to do with checks that password store does on a site etc. If you are xss'd will your password utility warn you, or will it still offer up your username and password? Will it submit your password to a site that slightly matches your sites. I guess there are a million and one checks that could be done with browsers these days being so customiseable.
      How about how FF went with noscript and the password master on?
      changlinn
      Reply Vote

    • Look Blue... A Clue... A Clue!!!

      Anyone who lets a web browser or so-called security software hold/manage their passwords deserves to have their passwords stolen. That completely negates having a password in the first place. Passwords are for security and should be remembered and almost never written down let alone stored in a piece of I?m-so-fat-and-lazy-I-cant
      ?t-be-bothered-to-type-in-my-password software.

      Morons, Morons, Morons? Common sense just made the endangered species list....

      We need to stop messing with nature and return to survival of the fittest, most of you bozos would not last a week.
      i8thecat
      Reply Vote

      • 76 passwords and counting

        I have 76 passwords in my personal bank. I have a dozen more at work that I have memorized, but there is no way I will remember that many high-quality passwords that are entered only rarely. Password keeping software is essential as one interacts with more systems, otherwise when one password is compromised, many accounts are compromised. This way, at least, they have to get the one password I use nowhere else in order to make progress.
        pogson
        Reply Vote

        • The LEAST secure passwords . . .

          . . . are the "high-security random" passwords - for EXACTLY the reason you mentioned. When used infrequently, EVERYONE either writes them down somewhere, or saves them in their browser.

          So much for "high-security." Check for a sitcky-note on the screen, the wall, the rolodex or in the top drawer, if the browser doesn't fill it in automatically when you go to the page. It will be around somewhere.

          ("the chain is only as strong as the weakest link")
          oldbaritone
          Reply Vote

          • Wrong

            I have one password I have never written down anywhere, and another I wrote down only once -- and then destroyed that paper.

            It [b]is[/b] possible! But it requires careful use of passphrases. And this is in turn made more difficult, unfortunately, by misguides administrators who insist that passwords meet 'entropy' requirements, but don't tell users what those are, fearing a security breach!
            mejohnsn
            Reply Vote

        • Password Bank

          That's why I never allow or use the auto-password filling functions. (Just say "NO" when your browser asks if you want it to "remember" your login or the site you are visiting asks "Remember me on this computer?")

          I use a stand alone utility with a pretty high encryption level. If I'm not sure about the login for a site I'm going to visit I start that sucker up (it's got it's own password) then lookup the login info from my list of 80+ password/username combos. Then I CLOSE the app before firing up a browser.

          Yeah - it takes a few seconds longer, but . . .
          NGENeer
          Reply Vote

  • RE: Major Web browsers fail password protection tests

    That's why I use Norton Internet Security's saving function instead of the one built into Firefox. It's more secure, asks for a confirmation, and MAKES SURE YOU ARE ON THE RIGHT PAGE BEFORE SENDING THE PASSWORD TO FIREFOX.
    Lerianis
    Reply Vote

  • Wow, Safari is really bad!

    Apple seems totally incapable of writing secure programs.
    NonZealot
    Reply Vote

    • NonZealot, again you proved to be an antagonist...

      What about Chrome you didn't disparage them. Putting the
      results in perspective none of the browsers did well. Some
      better than others however, even the best failed 66%.

      Go take a chill pill.
      BubbaJones_
      Reply Vote

      • But Apple takes "suck" to a new level

        :)
        NonZealot
        Reply Vote

        • By your reasoning so does Google.

          I'm just pointing that out, but it looks like all parties have some work to do in this area.
          DevJonny
          Reply Vote

          • Well, Google Chrome does suck securitywise

            Yes all of the browsers have problems, though Opera and Firefox seem to be the best of a bad lot.
            gypkap@...
            Reply Vote

          • And in other ways

            Does anyone really think Google launched their own browser just to improve ones surfing experience? Like hell they did! It's not even their own code. Every site you visit creates a call back to base to check if the site is involved in phishing or malware. Very commendable. But what else are Google doing with this information about your browsing habits?
            GOTBO
            Reply Vote

        • No you're thinking of Suckrosoft.

          ;-)
          fr0thy2
          Reply Vote

          • What dimension is frothing at the mouth currently in? What's Suckrosoft?

            He's hallucinating as usual. Probably forgot to take his meds.
            transposeIT
            Reply Vote
CNET Join | Log In | Privacy | Cookies Close