Firefox flaw allows PayPal hack, says researcher


Firefox flaw allows PayPal hack, says researcher

John-Paul Kamath

A potential flaw in the way Firefox web browser handles log-ons could be used by identity thieves to dupe users into disclosing passwords, a leading security researcher has warned.

According to Aviv Raff, an Israeli researcher, the flaw in Firefox - Mozilla's latest version - could redirect the username and password entered by the user to the hacker's server instead of the real one.

An attacker could also create a web page with a link to a trusted website (for example, a bank, a PayPal account, webmail, etc.). When the victim clicks on the link, the trusted web page will be opened in a new window, and a script will be executed to redirect the new opened window to the attacker's web server, which will then return the specially crafted basic authentication response.

A video which demonstrates the first attack vector can be found on YouTube. A better quality video can be download from here.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy