A potential flaw in the wayFirefoxweb browser handles log-ons
could be used by identity thieves to dupe users into disclosing
passwords, a leading security researcher has warned.
According to Aviv Raff, an
Israeli researcher, the flaw in Firefox 2.0.0.11 - Mozilla's latest
version - could redirect the username and password entered by the
user to the hacker's server instead of the real one.
An attacker could also create a web page with a link to a
trusted website (for example, a bank, a PayPal account, webmail,
etc.). When the victim clicks on the link, the trusted web page
will be opened in a new window, and a script will be executed to
redirect the new opened window to the attacker's web server, which
will then return the specially crafted basic authentication
response.
A video which demonstrates the first attack vector can be found
on
YouTube. A better quality video can be download from
here.