Main Area and Open Discussion > General Software Discussion

Firefox form filler vulnerability - definitely watch out for this one

(1/1)

mouser:
Yikes!

We reported back in October that a phishing attack had hit MySpace, creating fake login forms that looked like the real thing. These appeared on 3000 profile pages, according to Mashable Labs. They worked by using MySpace’s popular html editing features (an essential part of the MySpace layouts craze) to display a login form - once you’d entered your login details, the creators could hijack your profile page, creating another fake login form and sending out spam bulletins. What’s more, we noted briefly that Firefox identified these as real MySpace login pages, and automatically filled in your details.

Now CNET and others are picking up on the story, pointing out that this is a major flaw with the Firefox Password Manager. The flaw affects both Mozilla Firefox and Internet Explorer 7, but it’s being said that Firefox is more vulnerable. Firefox sees “http://www.myspace.com” in the address bar and assumes that the form is a genuine MySpace login page - it doesn’t check, however, where the login details are sent to once you submit them. But what’s even more worrying is that this can be done without a visible login form: a site can hide the login form from view, and have the details automatically submitted when you click a link. Mozilla are working on a fix, but for now the solution is not to use the Password Manager to remember your passwords.

--- End quote ---


http://mashable.com/2006/11/23/myspace-attack-highlights-firefox-flaw/

longrun:
Yet another reason to use Opera.

Navigation

[0] Message Index