All the latest UK technology news, reviews and analysis
|
|
|
23 Nov 2006
The Mozilla Foundation is warning of a critical bug in the new Firefox 2.0 browser that could leave passwords vulnerable to hackers.
The new flaw is in the Password Manager feature of the browser, which stores log-in details for websites so that users do not have to input them every time they visit a protected website.
Users are vulnerable because the Password Manager fails to verify that the URL is legitimate.
The flaw was discovered by Robert Chapin of Chapin Information Services and seems to affect all versions of Firefox, and may also affect Microsoft's Internet Explorer.
"Given the new nature of this type of attack, Chaplin has named this a Reverse Cross-Site Request [RCSR] vulnerability," said the company.
"This flaw could affect anyone visiting a blog or forum website that allows user-contributed HTML code to be added."
Chaplin claims that the attack has already been used to steal the log-in details of MySpace users, who were redirected to a false log-in page where their details were harvested.
The bug is as yet unpatched and Mozilla is advising users to turn off the Password Manager feature until a fix is available.
"This attack is much more likely to succeed because Internet Explorer and Firefox are not designed to check the destination of form data before the user submits them," said Chaplin.
"This behaviour does not occur in Internet Explorer unless the RCSR form appears on the same page as a legitimate log-in form, so IE actually behaves better in some situations.
"Users of Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum websites at trusted addresses."
Chapin has informed Microsoft of the problem.
Additional reporting by Clement James.
Latest stories from Security
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Sneak peek at the forthcoming glass-based machine
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
Software Design Architect (Windows Database Application...
Lead Java Developer - Fast growing, young and international...
Job Specification Graduate Support Engineer...
Job Specification For: Software Developer...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Thank You Iain
Goes to show once again that, unfortunately, the more you use your common sense and gray matter the better off you are. I have so many passwords I could not possibly remeber them all so I use a little stone age tool called a floppy disc. I keep it handy and back it up every so often to a DVD+RW that I hide in another room. I do NOT however keep passwords in these new computer boxes. I suppose I can, will and have been got too also but this has to make it a little harder does it not? Hope I helped somebody out there. Best, Ray
Posted by: Ray 25 Dec 2006
false log-in page in Firefox flaw
Would the false log-in page have legitimate, clickable ads or other links?
Posted by: JeanneA 27 Nov 2006
Appreciation
Appreciate your sharing the data for a non"nerd"!
Posted by: Dr. Merrill C. Mensor 26 Nov 2006