Topic: Firefox flaw lets in phishers

[Clive]

A security researcher has found a problem in Mozilla's Firefox browser that could allow phishers to gather information such as passwords from unsuspecting surfers.

Robert Chapin, of Chapin Information Services, discovered a spoofed MySpace page and was disturbed to find that Firefox's Password Manager feature didn't realise that the page was actually in a domain he had not authorised to collect his passwords.

"I was shocked today to find an in-the-wild phish that uses nothing more than cross-site forms, and also extracts information from the Password Manger," said Chapin.

"I would have been thoroughly fooled by this page were it not for a tiny formatting error that the phisher overlooked, and could have been easily fixed. An unsuspecting user would only have to click the Login button on this legitimate-looking page for the phish to be complete," he continued.

The vulnerability is caused by the Password Manager not checking the URL before automatically filling in saved passwords into forms. Chapin sees this as a gaping hole in Firefox's defences.

"I realise there is a consideration for cross-site functionality on certain subdomains. However, I must say I am shocked that FireFox lacks a warning for... the Password Manager in this case," he said.

Danish security company Secunia rates the flaw as 'less critical', and recommends that Firefox users go to Tools, Options, Privacy and uncheck the box marked 'Remember what I enter in forms and the search bar'.

http://secunia.com/
http://www.info-svc.com/

[Clive]

IE7 will NOT be beaten! 

IE and Firefox blighted by fake login flaw

The latest versions of both Firefox and Internet Explorer are vulnerable to an unpatched flaw that allows hackers to snaffle users' login credentials via automated phishing attacks.

The information disclosure bug affects the password manager in Firefox 2.0 and its equivalent in IE7. Firefox's Password Manager, for example, fails to properly check URLs before filling in saved user credentials into web forms. As a result, hackers might be able to swipe users credentials via malicious forms in the same domain, providing users have already filled out forms on this domain.

Samples of attacks utilising the flaw have already been reported on MySpace. Firefox 2.0 users might be more at risk from the flaw because IE7 does not automatically fill in saved information. Security notification firm Secunia advises users to disable the "remember passwords for sites" option in their browsers pending the delivery of patches.

[Simon]

Bugger.  But I bet Firefox will get a patch out before IE. 

[Simon]

On the other hand, this makes interesting reading.   

[Clive]

   I couldn't open the phish tank site.

[Simon]

    They must be updating it.