Is MySpace to blame for Firefox password fault?

November 27, 2006

 

UPDATE: Users of both Mozilla’s Firefox and Microsoft’s Internet Explorer are at risk of having their saved passwords stolen, according to security researcher Robert Chapin, president of Chaplin Information Services - though not everyone agrees that the browsers are at fault.

The risk arises because the password manager of each browser can be tricked into handing over saved passwords to fake login pages. Chaplin has dubbed this Reverse Cross-Site Request [RCSR] vulnerability

Users of social networking services such as MySpace, and visitors to forums and blogging services are most at risk, because pages at these types of sites can be modified using HTML code to make them look like login pages to the browser’s password manager. Because the URLs of such pages look legitimate, the password manager is tricked into handing over the password, even though the password information is being sent to a different non-legitimate server.

While both browsers are vulnerable to this kind of attack, Internet Explorer is less vulnerable because it does a better job of checking where the log-in form is actually coming from before handing over the user and password information.

According to Chaplin, this technique has already been used to steal login information from MySpace members using Firefox. In the case MySpace, Firefox checks to see if the login form is coming from the official MySpace.com domain, but does not check that the password information is being sent back to MySpace.

But not everyone agrees that it’s the actual browsers that are at fault. An anonymous reader commenting at TECH.BLORGE.com leveled the blame squarely at MySpace:

“What Robert Chapin found was not a browser flaw, it is a MySpace flaw due to insufficient sanitizing done by myspace.com on user submitted content,” wrote the reader,who used the name Biju.

“Cross site form submit is a features very much used around 10 years or more. If you stop that even big sites like Bank of America or many sites using MS passport.net service will stop functioning.”

Both Microsoft and Mozilla have been notified about security vulnerability, and at the time of writing Mozilla had at least recognized the problem.

Personally, I think problem is more a browser problem than a MySpace problem. However, Biju makes an interesting point, and certainly it may be that in addition to Microsoft and Mozilla trying to overcome this vulnerability in their browsers, perhaps sites such as MySpace should also review their security processes.

Be Sociable, Share!

4 Responses to “Is MySpace to blame for Firefox password fault?”

  1. Biju:

    Thanks for at least telling
    “MySpace should also review their security processes.”

    As Robert Chapin suggestion to stop the cross site posting which will break otherwise fine site.
    I have a alternate method which is win for all see
    https://bugzilla.mozilla.org/show_bug.cgi?id=360493

    Later Gervase Markham mentioned this not something new, another good alternative he suggested is
    http://www.gerv.net/security/content-restrictions/

    BijuGC

  2. Biju:

    There are other ways trick a social networking site
    see http://ha.ckers.org/xss.html
    Do we need fix for them from browser company?

  3. Administrator:

    Biju, get in touch with me when you get a chance…

  4. melon:

    Don’t worry. Mozilla fixes the bugs faster them other browser, becouse is faster. Did you know that you can significantly speed up Firefox? You can find manual how to easily tweak Firefox over here: http://www.miscproject.com/blog/about/

Leave a Reply:


Recent stories

Featured stories

RSS Windows news

RSS Mac news

RSS iPad news

RSS iPhone & Touch

RSS Mobile technology news

RSS Tablet computer news

RSS Buying guides

RSS PS3/Wii/Xbox 360

RSS Green technology

RSS Photography

Featured Content

Archives

Copyright © 2014 Blorge.com NS