p2pnet.net News:- “Are you one of those people who lets Firefox save your passwords so you don’t have to type them in again?” – asked p2pnet on Tuesday.

If you are, it mightn’t be such a good idea, we said, basing the statement on new research from Chapin Information Services’ Robert Chapin, who’d found a new Firefox security hole.

He calling it a Reverse Cross-Site Request (RCSR) and says it could allow a hacker to grab passwords stored by the Firefox Password Manager.

How serious is it? – we asked him.

“On a scale of 1 to 10, with respect to surfing issues, I’d put the Password Manager issue at an 8,” he states. “On other scales, like at Secunia this would be a 2 out of 5, because it doesn’t result in a crash or infection.”

We wondered how clever a hacker have to be to exploit the flaw.

“An attacker would need a complete understanding of CSS, HTML, and HTTP, plus some working knowledge of server-side scripting to collect results” he told p2pnet.

And in realistic terms, what kind of a threat did it present?

“The fact that this has already been done as a MySpace phish means it is quite viable,” he says.

Mozilla has labelled the exploit bug number 360493 and is working on a fix for Firefox 2.0.0.1 or 2.0.0.2.”

A proof-of-concept demonstration is available here.

Also See:
new research – Firefox password security hole, November 21, 2006

---

p2pnet newsfeeds for your site.
rss feed: http://p2pnet.net/p2p.rss
Mobile – http://p2pnet.net/index-wml.php

This entry was posted on Thursday, November 23rd, 2006 at 8:35 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 1978 times