Saturday, December 09, 2006

A new password flaw found in Firefox 2

By Justin Silverton

In a recent article, a new flaw in firefox 2 is discussed:

“Mozilla’s Firefox 2.0 has long been considered a safer Web browser than Microsoft’s Internet Explorer, but a new flaw in the Firefox Password Manager, which lets users store usernames and passwords for trusted Web sites, could let hackers steal their login data.

The problem, known as a reverse cross-site request, or RCSR, was first discovered by Robert Chapin, a Microsoft Certified Systems Engineer (MCSE) and I.T, consultant. The RCSR appears on blogs, message boards, or group forums that let users add comments with embedded HTML code.

On sites that allow users to enter code, a hacker can embed a form that tricks the user’s browser into sending its username and password information to the hacker’s computer. Because the form is embedded on a trusted Web site, the browser’s built-in antiphishing protection, which is designed to alert users to fraudulent Web sites, does not detect the problem.”

When will this flaw be fixed?

The Mozilla Foundation (the group behind the firefox browser) has classified it as Bug #360493 and also announced that it will be fixed in version or

This attack can be avoided by disabling the browsers’ autosave features for usernames and passwords. I

No comments: