TL;DR
Yes, a malicious survey website can trick Firefox into sending stored passwords if it uses specific techniques exploiting how Firefox handles form autofill. This is usually done through carefully crafted HTML forms and JavaScript code. You can protect yourself by disabling autofill on sensitive sites, using a strong master password, keeping Firefox updated, and being cautious about the websites you visit.
How It Works
Firefox automatically saves usernames and passwords when you log into websites. A malicious website can attempt to exploit this feature to steal your credentials. Here’s how:
Steps to Protect Yourself
- Understand the Threat: Firefox’s autofill feature is convenient, but it relies on matching form names and URLs to saved login details. A malicious site can create forms that *look* like legitimate login forms for sites where you have saved passwords.
- Disable Autofill on Sensitive Sites: This is the most effective protection.
- Open Firefox settings (Options/Preferences).
- Go to ‘Privacy & Security’.
- Scroll down to ‘Logins and Passwords’.
- Click ‘Exceptions…’ under ‘Autofill logins’.
- Add the URL of any website you consider sensitive. This prevents Firefox from offering to autofill on those sites.
- Use a Strong Master Password: A master password encrypts your saved passwords. Even if a malicious site steals your password database, it will be very difficult for them to decrypt it without the master password.
- In Firefox settings (Options/Preferences), go to ‘Privacy & Security’.
- Scroll down to ‘Logins and Passwords’.
- Check ‘Use a Master Password’. Choose a strong, unique password that you don’t use anywhere else.
- Keep Firefox Updated: Mozilla regularly releases security updates that patch vulnerabilities like those exploited by malicious websites.
- Go to the Firefox menu (three horizontal lines).
- Select ‘Help’.
- Click ‘About Firefox’ to check for and install updates.
- Be Cautious About Websites: Avoid clicking links in suspicious emails or visiting websites you don’t trust.
- Check the website address carefully before entering any personal information. Look for HTTPS (the padlock icon) to ensure a secure connection.
- Be wary of survey sites that ask for excessive personal details.
- Clear Existing Saved Passwords: If you suspect your passwords may have been compromised, clear them from Firefox.
- In Firefox settings (Options/Preferences), go to ‘Privacy & Security’.
- Scroll down to ‘Logins and Passwords’.
- Click ‘Saved Logins…’
- Remove any entries you don’t recognize or trust. You can also remove all saved logins if necessary.
Technical Explanation (for advanced users)
The attack typically involves a malicious website creating HTML forms with name attributes that match those used by legitimate login pages. When you visit the malicious site, Firefox may attempt to autofill these forms based on saved credentials.
<form action="#" method="post">
<label for="username">Username:</label>
<input type="text" id="username" name="username"><br>
<label for="password">Password:</label>
<input type="password" id="password" name="password"><br>
<button type="submit">Submit</button>
</form>
JavaScript can then be used to capture the submitted data and send it to an attacker’s server. While Firefox has protections against this, they are not foolproof.