Software // Enterprise Applications
News
11/22/2006
12:36 PM
Connect Directly
RSS
E-Mail
50%
50%

Unpatched Flaw Means Firefox Passwords Can Be Stolen

Dubbed the "Reverse Cross-Site Request" vulnerability by its discoverer, the unpatched flaw is in Firefox's password-saving feature.

Security experts Wednesday warned that Mozilla Corp.'s Firefox browser has an unpatched flaw that lets criminals pilfer Web site or account passwords, and said that the tactic has already been used on MySpace to steal log-in information from users of the popular social networking service.

Dubbed the "Reverse Cross-Site Request" vulnerability by its discoverer, the vulnerability is in Firefox's password-saving feature. Attackers can exploit the flaw by crafting malicious HTML code that hijacks a username and password from a legitimate site, such as a blog or message forum, then transports the log-in to another site. Users would not notice that the theft had even taken place, said Robert Chapin, who reported the bug to Mozilla earlier this month.

Microsoft's Internet Explorer is also vulnerable to RCSR attack, added Chapin, although circumstances make it less likely that attackers will exploit the bug in IE.

Danish vulnerability tracker Secunia rated the threat as "Less critical," the second out of five possible rankings.

Chapin cited an October fraud on MySpace as the first evidence of an RCSR-based attack. "A recent large-scale attack using RCSR targeted MySpace.com users involved fake log-in forms on the MySpace site inviting users to type in their username and password," he wrote in a warning.

Current versions of Firefox, including 1.5.0.8 and 2.0, are vulnerable to RCSR attack; until a patch is available, users can deflect such attacks by disabling the automated password saving feature. In Firefox, users should select Tools|Options|Security, then clear the box marked "Remember passwords for sites."

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.