Firefox, IE flaw could expose passwords

By Bill Brenner, Senior News Writer 22 Nov 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Attackers could steal user names and passwords by exploiting a flaw affecting both Firefox 2.0 and Internet Explorer (IE), Chapin Information Services Inc. (CIS) warned in an advisory Tuesday.

Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum Web sites at trusted addresses. Robert Chapin, president, Chapin Information Services Inc.

Those who visit blogs and Web site forums that allow user-contributed HTML code to be added are particularly at risk, said CIS President Robert Chapin, whose advisory includes a proof-of-concept demonstration. Chapin is calling the problem a reverse cross-site request (RCSR) vulnerability. Attackers could exploit it to access users' passwords and usernames by presenting them with a fake login form. Data in the form is sent to the attacker's machine without the user's knowledge.

The risk is considered greater for Firefox users because the browser's password manager automatically enters saved passwords and usernames into the form.

"RCSR attacks are also actively targeting Microsoft Internet Explorer, however a flaw in Firefox makes the attack much more likely to succeed," Chapin said. "Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum Web sites at trusted addresses."

He noted that attackers recently used the RCSR flaw to target MySpace.com users. That attack was first reported last month by Netcraft, a British Internet services firm. In this incident, users were lured to fake login forms on the MySpace Web site that asked for their user name and password.

"The RCSR attack is much more likely to succeed because neither Internet Explorer nor Firefox are designed to check the destination of form data before the user submits them," he said. "The user sees a trusted Web site address in the browser's address bar because the exploit is conducted at the trusted Web site."

Chapin reported the flaw to Mozilla Nov. 12, and the organization is working on a fix for Firefox version 2.0.0.1 or 2.0.0.2.

In the meantime, the Bethesda, Md.-based SANS Internet Storm Center (ISC) said on its Web site that the workaround is to never use Firefox to save passwords for any Web site.

Tags: Password Management and Policy,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Password Management and Policy Two-factor authentication, vigilance foil password theft Group to shed light on secure identity management threats Brute force attacks target Yahoo email accounts Best Identity and Access Management Products Privileged account management critical to data security Making the case for enterprise IAM centralized access control How to prevent brute force webmail attacks Best practices for a privileged access policy to secure user accounts Mature SIMs do more than log aggregation and correlation PCI compliance requirement 2: Defaults Web Browser Security Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary graphical password  (SearchSecurity.com) identity chaos  (SearchSecurity.com) logon  (SearchSecurity.com) masquerade  (SearchSecurity.com) OpenID  (WhatIs.com) salt  (SearchSecurity.com) session replay  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) TACACS  (SearchSecurity.com) war dialer  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary