Test Finds Google Chrome, Apple Safari Weakest in Browser Password Management

"The claimed vulnerability here is that if you don't check the action authority you might be sending the password to the wrong site, so the attacker would change the action authority to point toward his own site or some other questionable site to steal your password," Fette said. "If the attacker can actually change the form on the Web page, there is a ton of other things that he could do to get your password."

In addition, Fette countered that adding such a feature could cause usability problems.

"It might be the case that you have a Web site that's either a banking Web site or a big commerce Web site with a lot of back-end servers, so they might not always use the same domain name," he said. "It might not always be 'mystore.com'—it might be server1.mystore.com … if you put in a check that says the action domain has to be the exact same, then if they ever change their Web site or [are] using some load balancing scheme where they're sometimes [using] different domains, they would then fail that check."

Chapin argued that the fact that Firefox addresses this issue means it can work.

"The example of mystore.com vs. server1.mystore.com is invalid when the discussion is about gmail.com versus hotmail.com," Chapin said. "Every browser can make that distinction because it is already a common feature of JavaScript's 'same-origin policy.' The only real corner case is when mystore.com decides their domain authentication system is going to involve multiple DNS names like login1.mystore.com, login2.mystore.com, etc. There are any number of ways to resolve that case gracefully, but the way Google Chrome does it is by allowing the credentials from any domain to be submitted."

The third critical issue is whether the password manager delivers a password using a form that is not visible. If an attacker can put an invisible password form on the page and count on the password manager to fill in the form, it is possible to steal a user's password without the user ever knowing, Chapin explained.

"Firefox and Google Chrome don't pay any attention to that whatsoever," he said. "In their Document Object Model, if they find a password field, all bets are off—the password manager gets activated and it sticks a password in there."

Only Opera and IE required user interaction before a password was retrieved and filled in. Safari required explicit user interaction for passwords to be saved, as did IE; the others did not.

"The password manager is not a relatively large program, but it seems like something that does not get a lot of attention during development," Chapin said.