p2pnet.net News:- On the heels of news that Rupert Murdoch’s MySpace is being used by online criminals as a useful phishing hole comes a fresh report saying MySpace has failed to properly repair a serious security vulnerability, first revealed last year.

Now, anyone using Firefox to go to MySpace, or anywhere else, should immediately disable the Password Manager, Chapin Information Services‘ Robert Chapin, who discovered the flaw, told p2pnet.

On the MySpace flaw, using the original method employed during an October 2006 attack, and with one minor change, a Reverse Cross Site Request (RCSR) can still be injected into a MySpace.com E-Mail message, he says, going on:

“Vulnerabilities of this nature allow attackers to change the appearance of the website and trick the user’s computer into sending a username and password to any destination. In this case, the MySpace.com login form can be duplicated exactly, or the attack can be made invisible to the user.”

Here’s how Chapin explains it:

MySpace.com is a popular website that allows users to create web pages and emails using custom HTML. Because of the security risks involved in allowing users to create content, it is customary to reject raw HTML, or to evaluate it to verify the codes are completely valid.

However, MySpace.com uses neither approach. Beginning last year, the phrase “type=password” has been removed from all emails to prevent these types of attacks from happening.

This discovery by CIS of a new bug shows the current approach has been inadequate, and has left passwords vulnerable to theft.

And on Firefox, “CIS now considers the Firefox Password Manager to be unsafe for all purposes,” says Chapin, adding:

“CIS will review this advisory when the Password Manager feature has been redesigned.”

Password management can be disabled in the latest Windows version of Mozilla Firefox by clicking Tools, Options, Security, and then clearing the check box labeled, “Remember passwords for sites.”

“Passwords can then be retrieved manually by clicking the Show Passwords button on that same screen.”

Slashdot it!

Also See:
phishing hole – Gone phishing —- at MySpace, January 28, 2007
Chapin Information Services – MySpace.com Security Patch Failed, Users at Risk, January 29, 2007
Reverse Cross Site Request – Firefox password security hole, November 21, 2006

---

Want to subscribe to p2pnet by email with Feedburner? Just click here.
rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php | | And use our own p2pnet newsfeeds for your site

---

If your Net access is blocked by government restrictions, try Psiphon from the Citizen Lab at the University of Toronto’s Munk Centre for International Studies. Go here for the official download, here for the p2pnet download, and here for details. And if you’re Chinese and you’re looking for a way to access independent Internet news sources, try Freegate, the DIT program written to help Chinese citizens circumvent web site blocking outside of China. Download it here.

This entry was posted on Monday, January 29th, 2007 at 11:55 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 2282 times