IE and Firefox blighted by fake login flaw
Print storyMyPhish.com
Posted in ID, 23rd November 2006 14:02 GMT
Free whitepaper – Certify your software integrity with Thawte code signing certificates
The latest versions of both Firefox and Internet Explorer are vulnerable to an unpatched flaw that allows hackers to snaffle users' login credentials via automated phishing attacks.
The information disclosure bug affects the password manager in Firefox 2.0 and its equivalent in IE7. Firefox's Password Manager, for example, fails to properly check URLs before filling in saved user credentials into web forms. As a result, hackers might be able to swipe users credentials via malicious forms in the same domain, providing users have already filled out forms on this domain.
Samples of attacks utilising the flaw have already been reported on MySpace. Firefox 2.0 users might be more at risk from the flaw because IE7 does not automatically fill in saved information. Security notification firm Secunia advises users to disable the "remember passwords for sites" option in their browsers pending the delivery of patches.
This so-called reverse cross-site request flaw was discovered by security researcher Robert Chapin, who explains the issue in greater depth in an advisory here. ®
Free whitepaper – The shortcut guide to managing certificate lifecycles
The best practices guide for application security
Avoiding 7 common mistakes of IT security compliance
The starter PKI program
Airport insecurity: the case of lost laptops
The mandate for application security
Google cloud told to encrypt itself
Buggy 'smart meters' open door to power-grid botnet
Chinese firm hits back at cyberspy claims
BlockMaster SafeStick hardware-encrypted USB drive