A security researcher has found a problem in Mozilla's Firefox browser that could allow phishers to gather information such as passwords.
A security researcher has found a problem in Mozilla's Firefox browser that could allow phishers to gather information such as passwords from unsuspecting surfers.
Robert Chapin, of Chapin Information Services, discovered a spoofed MySpace page and was disturbed to find that Firefox's Password Manager feature didn't realise that the page was actually in a domain he had not authorised to collect his passwords.
"I was shocked today to find an in-the-wild phish that uses nothing more than cross-site forms, and also extracts information from the Password Manger," said Chapin.
"I would have been thoroughly fooled by this page were it not for a tiny formatting error that the phisher overlooked, and could have been easily fixed. An unsuspecting user would only have to click the Login button on this legitimate-looking page for the phish to be complete," he continued.
The vulnerability is caused by the Password Manager not checking the URL before automatically filling in saved passwords into forms. Chapin sees this as a gaping hole in Firefox's defences.
"I realise there is a consideration for cross-site functionality on certain subdomains. However, I must say I am shocked that FireFox lacks a warning for... the Password Manager in this case," he said.
Danish security company Secunia rates the flaw as 'less critical', and recommends that Firefox users go to Tools, Options, Privacy and uncheck the box marked 'Remember what I enter in forms and the search bar'.
http://secunia.com/
http://www.info-svc.com/
|  |
Comments
Latest comments
No comments posted. Be the first by posting yours below...