UPDATE: Users of both Mozilla’s Firefox and Microsoft’s Internet Explorer are at risk of having their saved passwords stolen, according to security researcher Robert Chapin, president of Chaplin Information Services - though not everyone agrees that the browsers are at fault.
The risk arises because the password manager of each browser can be tricked into handing over saved passwords to fake login pages. Chaplin has dubbed this Reverse Cross-Site Request [RCSR] vulnerability
Users of social networking services such as MySpace, and visitors to forums and blogging services are most at risk, because pages at these types of sites can be modified using HTML code to make them look like login pages to the browser’s password manager. Because the URLs of such pages look legitimate, the password manager is tricked into handing over the password, even though the password information is being sent to a different non-legitimate server.
While both browsers are vulnerable to this kind of attack, Internet Explorer is less vulnerable because it does a better job of checking where the log-in form is actually coming from before handing over the user and password information.
According to Chaplin, this technique has already been used to steal login information from MySpace members using Firefox. In the case MySpace, Firefox checks to see if the login form is coming from the official MySpace.com domain, but does not check that the password information is being sent back to MySpace.
But not everyone agrees that it’s the actual browsers that are at fault. An anonymous reader commenting at TECH.BLORGE.com leveled the blame squarely at MySpace:
“What Robert Chapin found was not a browser flaw, it is a MySpace flaw due to insufficient sanitizing done by myspace.com on user submitted content,” wrote the reader,who used the name Biju.
“Cross site form submit is a features very much used around 10 years or more. If you stop that even big sites like Bank of America or many sites using MS passport.net service will stop functioning.”
Both Microsoft and Mozilla have been notified about security vulnerability, and at the time of writing Mozilla had at least recognized the problem.
Personally, I think problem is more a browser problem than a MySpace problem. However, Biju makes an interesting point, and certainly it may be that in addition to Microsoft and Mozilla trying to overcome this vulnerability in their browsers, perhaps sites such as MySpace should also review their security processes.