November 25, 2006

Critical Flaw in Firefox found

A flaw in Firefox makes it easy for cyber criminals to steal our information on Web sites where we create their own pages, such as The flaw lies in Firefox's Password Manager software, which can be tricked into sending password information to an attacker's Web site. For this attack to work, attackers need to be able to create HTML (Hypertext Markup Language) forms on the Web site.

The attack was used in a MySpace phishing attack reported in late October. In that attack, users registered a MySpace account named login_home_index_html and used it to host a fake log-in page that exploited the flaw. This page sent MySpace username and password information to another Web site, and MySpace users who visited the page using Firefox could have lost their confidential data.

The flaw arises because Firefox's Password Manager does not perform a thorough enough check when it is deciding whether to send password information, and then does not ensure that password information is being sent to the server that requested it. In the MySpace attack, for example, Firefox would check to see if the form was coming from the domain, but did not make sure that the password information was being sent back to a MySpace server.

What should we do now to protect our data?

Immediately erase all stored passwords in Firefox.

Fig 1: Firefox password options. Click to enlarge

Another thing we should do now is to change the passwords as soon as possible.

Technorati Tags: Password theft, Firefox