Firefox, IE flaw could expose passwords

By Bill Brenner, Senior News Writer 22 Nov 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Attackers could steal user names and passwords by exploiting a flaw affecting both Firefox 2.0 and Internet Explorer (IE), Chapin Information Services Inc. (CIS) warned in an advisory Tuesday.

Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum Web sites at trusted addresses. Robert Chapin, president, Chapin Information Services Inc.

Those who visit blogs and Web site forums that allow user-contributed HTML code to be added are particularly at risk, said CIS President Robert Chapin, whose advisory includes a proof-of-concept demonstration. Chapin is calling the problem a reverse cross-site request (RCSR) vulnerability. Attackers could exploit it to access users' passwords and usernames by presenting them with a fake login form. Data in the form is sent to the attacker's machine without the user's knowledge.

The risk is considered greater for Firefox users because the browser's password manager automatically enters saved passwords and usernames into the form.

"RCSR attacks are also actively targeting Microsoft Internet Explorer, however a flaw in Firefox makes the attack much more likely to succeed," Chapin said. "Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum Web sites at trusted addresses."

He noted that attackers recently used the RCSR flaw to target MySpace.com users. That attack was first reported last month by Netcraft, a British Internet services firm. In this incident, users were lured to fake login forms on the MySpace Web site that asked for their user name and password.

"The RCSR attack is much more likely to succeed because neither Internet Explorer nor Firefox are designed to check the destination of form data before the user submits them," he said. "The user sees a trusted Web site address in the browser's address bar because the exploit is conducted at the trusted Web site."

Chapin reported the flaw to Mozilla Nov. 12, and the organization is working on a fix for Firefox version 2.0.0.1 or 2.0.0.2.

In the meantime, the Bethesda, Md.-based SANS Internet Storm Center (ISC) said on its Web site that the workaround is to never use Firefox to save passwords for any Web site.

Tags: Password Management and Policy,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Password Management and Policy Best practices for a privileged access policy to secure user accounts Mature SIMs do more than log aggregation and correlation PCI compliance requirement 2: Defaults PCI compliance requirement 8: Unique IDs Enterprise password management policy: Finding the balance Ease the compliance burden with automation Security book chapter: The Truth About Identity Theft Recovering lost passwords with Cain & Abel How to conduct a periodic user access review for account privileges How to prevent SSH brute force attacks Web Browser Security Security researchers develop browser-based darknet Microsoft cracks down on click fraud ring Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates IT pros can detect, prevent website vulnerabilities, thwart attacks Stolen FTP credentials likely in massive website attacks Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits Google study backs browser silent auto update feature Firefox update addresses several security flaws Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary graphical password  (SearchSecurity.com) identity chaos  (SearchSecurity.com) logon  (SearchSecurity.com) masquerade  (SearchSecurity.com) OpenID  (WhatIs.com) salt  (SearchSecurity.com) session replay  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) TACACS  (SearchSecurity.com) war dialer  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary