Browser flaw leaves passwords vulnerable

Users are vulnerable because the Password Manager fails to verify that the URL is legitimate

The Mozilla Foundation is warning of a critical bug in the new Firefox 2.0 browser that could leave passwords vulnerable to hackers. 

The new flaw is in the Password Manager feature of the browser, which stores log-in details for websites so that users do not have to input them every time they visit a protected website.

Users are vulnerable because the Password Manager fails to verify that the URL is legitimate.

The flaw was discovered by Robert Chapin of Chapin Information Services and seems to affect all versions of Firefox, and may also affect Microsoft's Internet Explorer. 

"Given the new nature of this type of attack, Chaplin has named this a Reverse Cross-Site Request [RCSR] vulnerability," said the company.

"This flaw could affect anyone visiting a blog or forum website that allows user-contributed HTML code to be added."

Chaplin claims that the attack has already been used to steal the log-in details of MySpace users, who were redirected to a false log-in page where their details were harvested.

The bug is as yet unpatched and Mozilla is advising users to turn off the Password Manager feature until a fix is available.

"This attack is much more likely to succeed because Internet Explorer and Firefox are not designed to check the destination of form data before the user submits them," said Chaplin.

"This behaviour does not occur in Internet Explorer unless the RCSR form appears on the same page as a legitimate log-in form, so IE actually behaves better in some situations.

"Users of Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum websites at trusted addresses."

Chapin has informed Microsoft of the problem.

Additional reporting by Clement James.