Article

Firefox, IE flaw could expose passwords

Bill Brenner, Senior News Writer

Attackers could steal user names and passwords by exploiting a flaw affecting both Firefox 2.0 and Internet Explorer (IE), Chapin Information Services Inc. (CIS) warned in an advisory Tuesday.

    Requires Free Membership to View

Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum Web sites at trusted addresses.
Robert Chapin,
presidentChapin Information Services Inc.

Those who visit blogs and Web site forums that allow user-contributed HTML code to be added are particularly at risk, said CIS President Robert Chapin, whose advisory includes a proof-of-concept demonstration. Chapin is calling the problem a reverse cross-site request (RCSR) vulnerability. Attackers could exploit it to access users' passwords and usernames by presenting them with a fake login form. Data in the form is sent to the attacker's machine without the user's knowledge.

The risk is considered greater for Firefox users because the browser's password manager automatically enters saved passwords and usernames into the form.

"RCSR attacks are also actively targeting Microsoft Internet Explorer, however a flaw in Firefox makes the attack much more likely to succeed," Chapin said. "Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum Web sites at trusted addresses."

He noted that attackers recently used the RCSR flaw to target MySpace.com users. That attack was first reported last month by Netcraft, a British Internet services firm. In this incident, users were lured to fake login forms on the MySpace Web site that asked for their user name and password.

"The RCSR attack is much more likely to succeed because neither Internet Explorer nor Firefox are designed to check the destination of form data before the user submits them," he said. "The user sees a trusted Web site address in the browser's address bar because the exploit is conducted at the trusted Web site."

Chapin reported the flaw to Mozilla Nov. 12, and the organization is working on a fix for Firefox version 2.0.0.1 or 2.0.0.2.

In the meantime, the Bethesda, Md.-based SANS Internet Storm Center (ISC) said on its Web site that the workaround is to never use Firefox to save passwords for any Web site.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: