Firefox, IE Vulnerable to Password Theft

Frequent visitors to blogs and Internet forums may be particularly at risk of identity theft due to an exploit that prompts the Firefox and Internet Explorer password managers to give away their protected information. Both Mozilla and Microsoft have acknowledged the problem and are working on fixes.

A software security researcher has warned that the password manager features of Mozilla's open source Firefox 2.0 and Microsoft's (Nasdaq: MSFT) Internet Explorer (IE) Web browsers could be exploited, placing unsuspecting users at risk.

Users of Firefox or Explorer, both of which may be vulnerable to the attack known as "Reverse Cross Site Request" (RCSR), are not fooled directly by the password theft exploit. Instead, it provides a fake login site that fools a browser's saved password feature into automatically providing the information, Robert Chapin, president of Chapin Information Services, reported.


Neither the latest Firefox 2.0 nor Explorer 7 browser were designed to check the destination of form data before submission, thus making them vulnerable to the weakness.

Because the exploit is actually conducted at a trusted Web site, the user sees a trusted address in the browser bar, according to Chapin.

"Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum Web sites at trusted addresses," Chapin wrote for his security site Chapin Information Services (CIS).

http://www.technewsworld.com/story/QH9bSetNcAdCEL/Firefox-IE-Vulnerable-to-Password-Theft.xhtml

do i say "Dont Remember My Password" and "am i using OPERa or other browser?"

 

WoW(shudder) great find infoseeker, the article doesn't mention Opera, wonder if it's "Password Manager" is vunerable as well. Thanks again Infoseeker for the heads up

 

Thats why I use RoboForm

 

Don't see anything in Roboform that protects you from this threat though Blades unless it can detect "Reverse Cross Site Request" (RCSR) which I do not see it says it can or can not, neither does Opera on its Password Manager.............thing is you can't say safe surfing to this one. Dang going to have to do some more research on this one

 

The almighty Firefox has a.....flaw?!?

Easy fix until Moz issues an update: disable the "Remember passwords for sites" option in the preferences.

http://secunia.com/advisories/23046/

And BC is correct, using Roboform doesn't save you on this one.

Well, since FF is such a risk now, best find another browser.

http://browsers.evolt.org/

 

What about Netscape? But I'm with ya on the not saving a password EVER, write it down in a safe place.

What's the point in locking your door if you leave the key in the lock?

 

After a night of reflection on this.......I ask myself what the heck is someone going to do with my Name and Password to say MG........Post something nasty or inappropriate.........hey MA I now have a legit excuse for all my past transgressions.......It weren't me Honest

But all kidding aside what the heck are they going to be able to do, unless you have filled out the "Filled Forms" option in "Password Manager" which I have little knowledge of, because I thought it was dangerous before this, what do they have...............All secure sights request much more than what "Password Manager" contains.

Just my next day thoughts....................or is it really me Mhuhuhuh

 

Firefox, IE7, and Safari are all vulnerable to the RCSR exploit. It stands to reason that since Netscape 8 is built from Firefox 1.x code that it is also vulnerable.

This vulnerability could affect anyone, using FireFox, IE7, or Safari, while visiting a website that allows user-contributed HTML code.

The browser is not directly fooled, by the RCSR exploit. Instead the user is presented with a fake login page that fool’s the browser into providing the UserID and Log-In information. None of these browsers were designed to check the form data before submission.

The risk to the average user is negligible, diligence on the part of the user and this type of exploit is not successful. However, this type of attack can be particularly effective, as the user is presented with a Log-In page very similar to the one they are used to seeing on a website they trust.

The developers of Firefox are actively working to patch this exploit. The fix will be forth coming in either version 2.0.0.1 or 2.0.0.2. The fix is a bit more problematic than most as it will require changes in the “User Interface”. The fix may not make it into 2.0.0.1 because of this. Earlier versions of Firefox are also affected, it is not clear if a fix is forthcoming for those versions.

At least Mozilla acknowledged that there is an issue with Password Manager, they simply didn't respond with “We are aware of the issue you reported.” And, “As a matter of policy, we cannot comment on ongoing investigations.” As Microsoft has when Chapin Information Services (CIS) inquired about the vulnerability in IE7. It could be months before a patch for IE7 is issued.

I have not located any documentation/statements from Apple regarding the vulnerability in Safari.

All this because of a Phishing scam on MySpace that netted close to 50,000 account details.

You can play the rotating Browser game if you want, but what are you going to do, when an exploit is discovered in your new 'favorite' browser? Switch browsers again?

If you use FF simply turn off the Password manager. If you use IE7 disable scripting. For Safari turn off Auto Fill.

 

How do yuo disable scripting in IE?

 

I don't believe Opera is vulnerable to this particular exploit. At least if it is it hasn't been disclosed.

 

IE > Tools > Internet Options > Security > Trusted Sites
Change to Custom, scroll down to "Active X controls and plug ins" either change to "Prompt" or "Disable".

If you disable ActiveX completely you will not be able to access freatures on some sites.

 

Yeah, well, there is always this risk when you trust any program to "save your passwords for you".

That's why I never, ever use form autocompletion.

 

Thanks Shadow

 

Cute answer!

 

It's going to be interesting to see if the "mighty" M$ or if the -Noble, Honourable and all other things good- Mozilla will come up with a fix first. No money for the person who guesses who I'm rooting for. GO FF!

 

Why would MS fix a problem in someone elses product ?? Just because they've got a similar problem doesn't mean that it's for the same reason

 

I don't think that's what he's saying, is he? Sounds like he wants to see which company fixes their product first...?

 

And what I'm saying is that since they don't share the same codebase, the problems are different even though the exploit is the same. So to "race" them would be a little unfair.

 

To those interested in the bugzilla report on this flaw, check out:

https://bugzilla.mozilla.org/show_bug.cgi?id=360493

 

Has anyone out there heard if Opera is affected, I haven't, just thought some of you might.

 

http://my.opera.com/community/forums/topic.dml?id=167537

"Magic wand" will protect thee.

CTRL + ENTER, may not....

Good info found here:

http://my.opera.com/community/forums/topic.dml?id=162349

More.

http://my.opera.com/community/forums/topic.dml?id=159282

 

Thanks theefool, clear as mud right, bottom line seems to be the sites you visits responsibility, as ANY browser or browser operator could/can be fooled (No Pun, but good)

I wave that dang "Magic Wand" in Opera and I turn into a Frog ribit, ribit

 

Hi, S_P_D, glad to see you in this Forum occcasionally.

MY IE6 does not have the options of "Prompt' or "Disable", only "Disable" and "Enable", unfortunately.

I have set it to "Disable" for the moment, to see what happens.
Bazza

===

 

Hey bazza, I've been lurking in the shadows, pun intended.

Sorry, those instructions were for IE7. It's not a bad idea to take similar precautions to protect yourself if you use IE6. I haven't seen anything about the RCSR exploit and whether or not IE6 is vulnerable to this type of attack.

 

Thought it was for IE7. Just keeping you honest. lol.
As I mentioned I have set mine (IE6) to disable (yesterday), to see what happens. Bazza

===