Mozilla's Firefox 2 and Microsoft's Internet Explorer 7 are vulnerable to a flaw

Posted by firecad2006 on Mon, 11/27/2006 - 19:42For the Record

Dubbed a reverse cross-site request, or RCSR, vulnerability by its discoverer, Robert Chapin, the flaw lets hackers compromise users' passwords and usernames by presenting them with a fake login form. Firefox Password Manager will automatically enter any saved passwords and usernames into the form.


login or register to post comments | previous forum topic | next forum topic | 2566 reads
not really a flaw
Submitted by on Wed, 11/29/2006 - 01:14.

This is more of a flaw in the website that implements an app the way they've done it at MySpace (since fixed by MySpace). If you write a sloppy website, bad things can happen.

- Asa

login or register to post comments
Not a flaw?
Submitted by Kelson on Wed, 11/29/2006 - 19:06.

I guess by the same token, vulnerabilities in system ActiveX controls that allow websites to break into the system aren't really flaws in IE.

It is a flaw in Firefox.  It's an input validation problem: the password manager is not being as careful as it could be to validate that the form it's filling out is the form it should be filling out.  This is evidenced by the fact that IE is vulnerable to the same attack, but in a much narrower range of cases.

And the fact that it can steal passwords without user interaction should be cause for concern, not denial.

--

Can Firefox users and Opera fans agree on anything?
The Alternative Browser Alliance

login or register to post comments
kool?
Submitted by ZasQuaTch on Fri, 12/01/2006 - 01:44.

oh what?

firefox can steal passwords?

oh geez..how..

login or register to post comments
relax
Submitted by jessetheinferno2113 on Sun, 12/03/2006 - 06:22.

dont get too excited zatch... its simply saying that if you have passwords saved in your password manager, and you reach a website that can successfully request those passwords but is not the actual site, then they can have access to them.

 this is true with any password manager on any browser to my knowledge
 

login or register to post comments
Not quite.
Submitted by Kelson on Fri, 12/01/2006 - 18:48.

A fake form on the real website can steal passwords.

But it does have to be on the real website -- a third-party phishing site wouldn't be able to do it.

--

Can Firefox users and Opera fans agree on anything?
The Alternative Browser Alliance

login or register to post comments
exactly
Submitted by jessetheinferno2113 on Sun, 12/03/2006 - 06:23.

exactly

login or register to post comments
the tool bar didn't work on ie
Submitted by firecad2006 on Wed, 11/29/2006 - 04:06.

i didn't write this, i found it at BBC.com but i had ie when i found it and when i went to post it here the tool bar above would not show up i don't know why so i couldn't put the link to it. 

Songbird

login or register to post comments
Links
Submitted by Kelson on Wed, 11/29/2006 - 19:08.

For anyone who's reading this, here are a couple of links:

--

Can Firefox users and Opera fans agree on anything?
The Alternative Browser Alliance

login or register to post comments
so..
Submitted by ZasQuaTch on Fri, 12/01/2006 - 01:42.

so couldn't you guys at mozilla essentiallty change those settings so that when ppl initially download it, they'll be safer?

or just notify them of HOW to change those settings after they download the saftware with a information window or something..?


login or register to post comments