Home > Security News > Firefox, IE flaw could expose passwords
Security News:
EMAIL THIS LICENSING & REPRINTS

Firefox, IE flaw could expose passwords

By Bill Brenner, Senior News Writer
22 Nov 2006 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Attackers could steal user names and passwords by exploiting a flaw affecting both Firefox 2.0 and Internet Explorer (IE), Chapin Information Services Inc. (CIS) warned in an advisory Tuesday.

Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum Web sites at trusted addresses.
Robert Chapin,
president, Chapin Information Services Inc.

Those who visit blogs and Web site forums that allow user-contributed HTML code to be added are particularly at risk, said CIS President Robert Chapin, whose advisory includes a proof-of-concept demonstration. Chapin is calling the problem a reverse cross-site request (RCSR) vulnerability. Attackers could exploit it to access users' passwords and usernames by presenting them with a fake login form. Data in the form is sent to the attacker's machine without the user's knowledge.

The risk is considered greater for Firefox users because the browser's password manager automatically enters saved passwords and usernames into the form.

"RCSR attacks are also actively targeting Microsoft Internet Explorer, however a flaw in Firefox makes the attack much more likely to succeed," Chapin said. "Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum Web sites at trusted addresses."

He noted that attackers recently used the RCSR flaw to target MySpace.com users. That attack was first reported last month by Netcraft, a British Internet services firm. In this incident, users were lured to fake login forms on the MySpace Web site that asked for their user name and password.

"The RCSR attack is much more likely to succeed because neither Internet Explorer nor Firefox are designed to check the destination of form data before the user submits them," he said. "The user sees a trusted Web site address in the browser's address bar because the exploit is conducted at the trusted Web site."

Chapin reported the flaw to Mozilla Nov. 12, and the organization is working on a fix for Firefox version 2.0.0.1 or 2.0.0.2.

In the meantime, the Bethesda, Md.-based SANS Internet Storm Center (ISC) said on its Web site that the workaround is to never use Firefox to save passwords for any Web site.

Sound Off! -   Post your comments |  See others' comments (1)


Tags: Firefox Security and Mozilla SecurityInternet Explorer SecurityPassword CrackingVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts