Firefox vulnerable to password-stealing
Browser doesn't check who is asking for the information.
By Robert McMillan, IDG News Service | Published: 15:46, 23 November 2006
A flaw in Firefox allows you to steal user information on websites where users create their own pages, such as MySpace.
The flaw in the browser's Password Manager software can be tricked into sending password information to a different website, said Robert Chapin, president of Chapin Information Services. But for it to work, attackers need to be able to create HTML forms on the site - something not allowed on blogging and social networking sites.
The attack was used in a MySpace phishing attack last month where a fake log-in page was use to exploit the flaw. The page then sent MySpace username and password information to another site, and MySpace users who visited the page using Firefox could have easily had their information compromised, said Chapin. Firefox developers rate the bug critical.
Related Articles on Techworld
Password Manager currently does not check if password information is being sent to the server that requested it, Chapin said. "From a programming point of view, this is almost like a typo," he said. "Ironically I think that's why it hasn't been discovered until now. It was just way too obvious."
Internet Explorer is also susceptible to the attack but is less likely to be tricked because it does a more thorough job in checking to see where a log-in form is coming from before it automatically submits password and user information.
