Firefox, IE flaw could expose passwords

A flaw in Firefox 2.0 and IE could affect anyone visiting a Web site that allows user-contributed HTML codes to be added, according to Chapin Information Services.

Attackers could steal user names and passwords by exploiting a flaw affecting both Firefox 2.0 and Internet Explorer (IE), Chapin Information Services Inc. (CIS) warned in an advisory Tuesday.

Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum Web sites at trusted addresses.
Robert Chapin,
presidentChapin Information Services Inc.

Those who visit blogs and Web site forums that allow user-contributed HTML code to be added are particularly at risk, said CIS President Robert Chapin, whose advisory includes a proof-of-concept demonstration. Chapin is calling the problem a reverse cross-site request (RCSR) vulnerability. Attackers could exploit it to access users' passwords and usernames by presenting them with a fake login form. Data in the form is sent to the attacker's machine without the user's knowledge.

The risk is considered greater for Firefox users because the browser's password manager automatically enters saved passwords and usernames into the form.

"RCSR attacks are also actively targeting Microsoft Internet Explorer, however a flaw in Firefox makes the attack much more likely to succeed," Chapin said. "Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum Web sites at trusted addresses."

He noted that attackers recently used the RCSR flaw to target MySpace.com users. That attack was first reported last month by Netcraft, a British Internet services firm. In this incident, users were lured to fake login forms on the MySpace Web site that asked for their user name and password.

"The RCSR attack is much more likely to succeed because neither Internet Explorer nor Firefox are designed to check the destination of form data before the user submits them," he said. "The user sees a trusted Web site address in the browser's address bar because the exploit is conducted at the trusted Web site."

Chapin reported the flaw to Mozilla Nov. 12, and the organization is working on a fix for Firefox version 2.0.0.1 or 2.0.0.2.

In the meantime, the Bethesda, Md.-based SANS Internet Storm Center (ISC) said on its Web site that the workaround is to never use Firefox to save passwords for any Web site.

Read more on Operating systems software