Closed Bug 348773 Opened 19 years ago Closed 18 years ago

My passwords were stolen when I click on a link

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: fernandogrd, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; pt-BR; rv:1.8.0.5) Gecko/20060731 Ubuntu/dapper-security Firefox/1.5.0.5 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; pt-BR; rv:1.8.0.5) Gecko/20060731 Ubuntu/dapper-security Firefox/1.5.0.5 I'm browsing on www.orkut.com and I click on an link(a post) and so I was redirected for main orkut page(after logged). After a few days the people whose got my passwords let me some messeges. PS: It could be a Orkut bug, but I am almost sure that is a Firefox bug, the post was: "Firefox Bug" Reproducible: Didn't try I felt insecure because my passwords were stolen, I believe it's a critical bug.
I couldn't find the link :(, sorry....
All your passwords or just your orkut password? Can you check your history and see if it's still there?
(In reply to comment #2) > All your passwords or just your orkut password? Can you check your history and > see if it's still there? > Hi, I believe I need to explain better what happened. First: I get in a comunity from orkut. And click on a post, just a post(caled firefox bug), not exactly a link. So I was redirected to a "strange" page and so redirected again to the initial page of orkut(after logged). Second: A few days I received messeges from my own profile talking about my orkut had been hacked. Some community were add and a community I created was deleted. Last: Phising attacks are very common on orkut, but that was not one, I didn't type my passwords and my username in anywhere. They just have access to it, I don't know exactly how. Well, my password from orkut and from my mail were the same. My mail doesn't suffered attacks(I think). I've also reported the "problem" to Orkut too.
I'm going to guess this is an XSS bug in Orkut (possibly one that can only be exploited if the visitor is using Firefox). Do you happen to have the URL of the post?
(In reply to comment #4) > I'm going to guess this is an XSS bug in Orkut (possibly one that can only be > exploited if the visitor is using Firefox). Do you happen to have the URL of > the post? > No, I've tried to find it, but the post of the community had been excluded. Well, on phishing attacks some ""hackers"" (I don't know why) post the passwords in an community related, I thought it's happened to me because the messeges on my profile were very "unlike". So I'm trying to find something like or another link. Besides I'm just a bit "afraid" because I have some problems in my HD today and I'm using a live cd of ubuntu, on cd just exits firefox :P I think I will creat another google count to find it :) Sorry for the bad English.
I found it on a discussion from the "Firefox Brasil" communit, there was a great post talking about the problem http://morbhius.7vip.net/pt-BR/winmoney/?a=null I'm not sure it's the same link, it's just a bit different, this redirect diretly to orkut page, and in the discussion in Firefox community the people say that orkut corrected the bug at 14 August, but my password was stolen in 15 August. I sent another bug report to orkut... but it's seems the bug just work in Firefox.
The link in the last comment is dead now, so there's really no information in this old bug to work with. I'd guess that Jesse is most likely right, and this was an XSS flaw on Orkut's end. Could also be bug 360493, which was an exploitable flaw that has since been fixed.
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INCOMPLETE
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.