TECH.BLORGE.com
VISTA.BLORGE.com
MAC.BLORGE.com
GAMER.BLORGE.com

November 26, 2006 |

Critical flaw in Firefox and IE allows password theft

By John Pospisil





Users of both Mozilla’s Firefox and Microsoft’s Internet Explorer are at risk of having their saved passwords stolen, according to security researcher Robert Chapin, president of Chaplin Information Services.

The risk arises because the password manager of each browser can be tricked into handing over saved passwords to fake login pages. Chaplin has dubbed this Reverse Cross-Site Request [RCSR] vulnerability

Users of social networking services such as MySpace, and visitors to forums and blogging services are most at risk, because pages at these types of sites can be modified using HTML code to make them look like login pages to the browser’s password manager. Because the URLs of such pages look legitimate, the password manager is tricked into handing over the password.

The technique has already been used to steal MySpace user passwords, according to Chaplin. 

Both Microsoft and Mozilla have been notified about security vulnerability.

Related:

  • Is MySpace to blame for Firefox password fault?
  • AOL user accidentally discovers password weakness
  • Macrovision plugs DRM software flaw to stop attacks on Microsoft Windows
  • Researcher: Firefox 2.0 contains ‘highly critical’ security flaw
  • Photoshop flaw allows hackers to access your PC




    • Sign up for the BLORGE daily email newsletter

    Entry was posted on Sunday, November 26th, 2006 at 10:11 pm under Internet, Microsoft.

    Read more entries by John Pospisil.
    StumbleUpon Toolbar Stumble It!

    3 Responses to “Critical flaw in Firefox and IE allows password theft”

    1. Biju:
      November 27th, 2006

      What Robert Chapin found was not a browser flaw, it is a myspace.com flaw due to insufficient sanitizing done by myspace.com on user submitted content.

      Cross site form submit is a features very much used around 10 years or more. If you stop that even big sites like Bank of America or many sites useing MS passport.net service will stop functioning.

      As of Nov 26, I have not seen mozilla.org acknowledge it as a flaw.
      see http://www.mozilla.org/projects/security/known-vulnerabilities.html

      and bug https://bugzilla.mozilla.org/show_bug.cgi?id=360493

      It is sad that media repeating the same story with out consulting relevant people.

    2. melon:
      November 28th, 2006

      Don’t worry. Mozilla fixes the bugs faster them other browser, becouse is faster. Did you know that you can significantly speed up Firefox? You can find manual how to easily speed up Firefox over here: http://www.mozila.pl/firefox-speed-up.html

    3. mozila:
      April 17th, 2007

      the history has shown that Firefox is safer than IE so I don’t think that there is a reason to be afraid of. Just get FF and surf the web faster http://www.mozila.com.pl

    Leave a Reply:

    Copyright © 2008 Engaging and compelling blogs that entertain and inform