The automatic password manager in the Firefox web browser is not secure, according to a report on the software maker's website....

Maybe. Maybe not.

The trouble with this sort of thing is that somebody writes a half-baked article but doesn't explain what it actually means. It's then paraphrased over and over again, with each description getting shorter, and explaining even less.

So what is actually happening?

Here is a proof-of-concept page:

http://www.myspace.com/1sweetstar

Hey! On TMF, I can't cheat you, so you can see it really is on MySpace, so if you've asked Firefox to remember your MySpace login information, it will fill in the form. If your password manager is password-protected, and you haven't already entered it, you will be prompted for the master password before the information is entered.

So far so good. However, the page isn't an official MySpace login page - it's been crafted by a user, so when you click on the LOGIN button, the login information is sent elsewhere to be recorded. Or rather, it was because that's now been disabled.

So this isn't a free-for-all password stealing mechanism.

Firstly, it would only allow someone to steal one password at a time - namely that for the site on which it is hosted. Secondly, it requires that the site permits a user to enter HTML. Thirdly, it requires that you are conned into visiting the special page, which isn't perhaps so hard to do.

If you only visit sites directly, it isn't a problem continuing to use Password Manager.

Furthermore, the FormFox extension:

https://addons.mozilla.org/firefox/1579/

reveals all. If you install FormFox, visit the above MySpace page, and let the mouse hover above the LOGIN button, you'll see that the information entered isn't sent to MySpace but to Lycos.

nybbler