Firefox’s browser is making it possible for cybercriminals to steal user information on websites where users create their own pages, according to some security researchers.
Firefox’s Password Manager software can be tricked into sending password information to an attacker’s website and creating forms. The problem could affect blogging and social networking sites such as MySpace.com.
The attack has already been used in one MySpace phishing attack reported in late October. In that attack, users registered a MySpace account named login_home_index_html and used it to host a fake log-in page that exploited the flaw.
This page sent MySpace username and password information to another website; and MySpace users who visited the page using Firefox could have had their information compromised. Firefox developers have already labelled the bug as critical, according to the project’s Bugzilla database.
The flaw arises because Firefox’s Password Manager does not perform a thorough enough check when it is deciding whether to send password information. Furthermore, it does not then ensure that password information is being sent to the server that requested it.
As soon as a site becomes popular, you can bet someone will want to find a way to attack it. You can expect more attacks on MySpace in future, with browser insecurity being just one method. Expect them to have a motive of financial gain too.