Skip to content
November 28, 2006 / Upnishad

a major security flaw in firefox2

Mozilla’s Firefox 2.0 has long been considered a safer Web browser than Microsoft’s Internet Explorer, but a new flaw in the Firefox Password Manager, which lets users store usernames and passwords for trusted Web sites, could let hackers steal their login data.

The problem, known as a reverse cross-site request, or RCSR, appears on blogs, message boards, or group forums that let users add comments with embedded HTML code.

On sites that allow users to enter code, a hacker can embed a form that tricks the user’s browser into sending its username and password information to the hacker’s computer. Because the form is embedded on a trusted Web site, the browser’s built-in antiphishing protection, which is designed to alert users to fraudulent Web sites, does not detect the problem.

Even worse, hackers can make the deceptive form invisible, meaning users can transmit their private data without even knowing it.

Bug #360493

Mozilla has acknowledged the problem and named it bug #360493. Microsoft has also admitted that RCSR attacks can affect Internet Explorer, but most reports indicate that Firefox is the more likely target because of the way it stores usernames and passwords.

Neither Mozilla nor Microsoft has released a patch for the problem, but users can avoid RCSR attacks simply by disabling their browsers’ autosave features for usernames and passwords. In Firefox, the feature is found in the “Options” window under the “Tools” menu.

Mozilla has indicated that it plans a fix in Firefox version 2.0.0.1 or 2.0.0.2.

Digg!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: