[Cosmo-dev] Bug 9930: XSS vulnerability (or, h4x0r5 will steal
ur passwurds!)
Matthew Eernisse
mde at osafoundation.org
Mon Jul 16 10:43:08 PDT 2007
Reply inline, below ...
Travis Vachon wrote:
> I'm afraid I disagree. If you have physical access to a machine, of
> course you have access to sensitive information. Even when we change the
> authentication scheme to avoid storing a password on the client side we
> will need to store some piece of sensitive data on the client side (a
> temporary key, for instance) that an attacker could use to get access to
> a user's data given physical access to the machine. Physical access
> security is a problem that is "solved" by the os. Certainly we can help
> it out by making sure sensitive information isn't even around, but if an
> attacker is sitting at your machine you have larger problems.
There's a huge difference between having a temporary key compromised
(which means that particular session on a single particular Internet
service has been compromised), and having a clear text password
compromised.
We all know that people use the same password on multiple Internet
service accounts, so a compromised Cosmo password would likely also
provide access to other accounts like GMail, EBay, PayPal, online
banking, etc.
I'd also point out that in a lot of shared-computing environments
(universities, small businesses), physical access to a particular
machine doesn't lead to any larger problems. All the data is remote data
living at different Internet services -- so even with physical access to
the machine, the vulnerable information is limited to what's in the
browser for the currently logged-in service (or should be).
> The insidiousness of bugs like 9930 is that no physical access to the
> machine is required. It's as if we've been given what we're told is a
> secure room, but we have forgotten to close a window.
I agree it's an extremely insidiious bug, and also trivial to fix
compared to the issues with our auth scheme.
Hopefully we can put our heads together and get the auth stuff fixed
relatively soon post-0.7.
Matthew
More information about the cosmo-dev
mailing list