For fun, since Member was so convinced that turning a browser into malware was possible, I decided to look and see if anything similar to what was described is a used technique in the wild.
I discovered that the possibility is not as remote as my posts suggested but still not possible to the degree suggested by Member depending on whether it could be abused remotely. The method relies on a vector that I did not think to include but fits into the basic elements of our discussion.
The following articles describe methods to modify Firefox into a "local" keylogger for some website logins. The method works for Firefox on all OSs but the file paths are different for each platform.
http://tech-buzz.net/2011/04/25/evil-series-turn-firefox-4-or-3-into-keylogger-and-steal-passwords/
http://www.techtalkz.com/blog/tips-...ave-passwords-from-secure-https-websites.html
One article describes how to get Firefox to automatically save passwords. The other article describes how to get Firefox to save SSL encrypted passwords. Combined the effect would be the automatic collection of encrypted passwords.
Apparently, the storage of that data is encrypted but is accessible locally if a master password is not set. I did find some utilities online that are able to decrypt the data storage to recover passwords.
Following secure password guidelines when setting a master password prevents recovery.
If the ability to access this data remotely is possible, then
I was wrong. A trojan in the wild that affected Windows recently used the methods in the links above as a component in a piece of malware. It relied on another component independent of the browser to upload the data collected to the attackers server.
http://blog.webroot.com/2010/10/06/patchy-phisher-forces-firefox-to-forego-forgetting-passwords/
This issue seems unique to Firefox. Honestly, I am quite surprised by this. But, if similarly implemented in OS X without password authentication for any of the components, this would meet the requirements of the PoC discussed even though it requires more than just the modification of the browser given that a means to upload the data would be required.
Seems like this is a major security issue for any Firefox user on any OS given that both the encryption key file and the data storage file are read/write by the user. I guess this is good to know for users that prefer to use a third party browser, especially, if that browser does not use keychain for secure storage.
For safety reasons, Firefox should require users to set a master password by default. Having the service turned off may not be a solution if the file that stores the setting to disable password manager is also modifiable.
This issue does not affect Safari because this functionality in Safari is provided by keychain, which uses encryption linked to a password by default.
Sorry for hijacking this thread. Below is my attempt to get it back on track.
I got the anti-malware.zip downloaded on my mac by accident but it was set not to automatically open so I instantly deleted it without ever opening it
am I still in danger?
No, you are not in danger.