[Cosmo-dev] Bug 9930: XSS vulnerability (or, h4x0r5 will steal ur passwurds!)

[Travis Vachon]

>
> While I agree that allowing injection of arbitrary scripts that can  
> grab client-side data (calendar event info or what have you) and  
> send it somewhere on the 'Net is a Bad Thing -- I think the example  
> of passwords used here is kind of like worrying about the quality  
> of your lock when the door itself is made out of balsa wood.
>
> Right now you can type this into your (or your boss's) location bar:
>
> javascript:alert(cosmo.util.auth.getPassword());

I'm afraid I disagree. If you have physical access to a machine, of  
course you have access to sensitive information. Even when we change  
the authentication scheme to avoid storing a password on the client  
side we will need to store some piece of sensitive data on the client  
side (a temporary key, for instance) that an attacker could use to  
get access to a user's data given physical access to the machine.  
Physical access security is a problem that is "solved" by the os.  
Certainly we can help it out by making sure sensitive information  
isn't even around, but if an attacker is sitting at your machine you  
have larger problems.

The insidiousness of bugs like 9930 is that no physical access to the  
machine is required. It's as if we've been given what we're told is a  
secure room, but we have forgotten to close a window.

All that said, I think we're all on the same page that this is a  
problem, the disagreement here appears to be about which facet of the  
problem is more serious. Personally, I think that if we address XSS  
bugs as they come in and address them in a standard way (I improved  
on my previous fix in r5081) we are still reasonably justified in our  
original decision to store the password on the client side in  
essentially plaintext until we have bandwidth to create a better auth  
scheme.

-Travis