News

Firefox flaw allows PayPal hack, says researcher

A potential flaw in the way Firefox web browser handles log-ons could be used by identity thieves to dupe users into disclosing passwords, a leading security researcher has warned.

According to Aviv Raff, an Israeli researcher, the flaw in Firefox 2.0.0.11 - Mozilla's latest version - could redirect the username and password entered by the user to the hacker's server instead of the real one.

An attacker could also create a web page with a link to a trusted website (for example, a bank, a PayPal account, webmail, etc.). When the victim clicks on the link, the trusted web page will be opened in a new window, and a script will be executed to redirect the new opened window to the attacker's web server, which will then return the specially crafted basic authentication response.

A video which demonstrates the first attack vector can be found on YouTube. A better quality video can be download from here.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy