A serious weak point has been discovered in Firefox version 2.0's security which affects both Windows and Macintosh users. The flaw lies in the browser's Password Manager and could affect a large number of people.
Who Is At Risk
Those of you who use this version of Firefox to visit sites that allow user-created HTML forms may be at risk. The majority of blogs fall into this category, as well as some sites that let you generate your own personal pages. One of these sites is the widely popular MySpace, where the bug was first brought to light in late October. Netcraft, a company which specializes in network security services among other things, released a report about MySpace account logins and passwords being stolen by phishers who duped unsuspecting visitors into sending their account information through a phony login form. Their credentials were then sent directly to the attacker's server rather than to the appropriate location. MySpace, after being notified, began to take action immediately but it was not reported how many accounts were actually compromised.
How Firefox Was Exploited
At the time, it was not clear if this was strictly a problem with MySpace or what the full extent of the issue was until Chapin Information Systems released a detailed report of the flaw in Firefox and how far-reaching it could actually be. According to Chapin, Firefox's Password Manager can be manipulated into sending your login credentials to a phisher's computer without you ever seeing or knowing a thing. Perhaps the most unnerving fact in the report is that the forms used to send your information to the attacker can be totally hidden and can be initiated simply by you clicking on an invisible link.
Internet Explorer Users Not In The Clear
This type of attack, defined as a Reverse Cross Site Request (RCSR) vulnerability, can also affect Internet Explorer users who choose to save their passwords in the browser. However, the flaw in Firefox's Password Manager makes the Mozilla browser much more susceptible to the attack. The reason for this, according to Chapin, is that IE is much more efficient in checking the validity of a form's owner prior to sending information.
What To Do Next
Mozilla, who has detailed the bug in their public database, has stated that it will be resolved in an upcoming release of Firefox (either v2.0.0.1 which is the very next release or v2.0.0.2). Microsoft, on the other hand, has acknowledged the lesser problem with Internet Explorer but refused to comment at this time regarding a potential resolution.
In the meantime, you should not sit around waiting for the browser developers to create a fix for this critical flaw. If you are a Firefox user, follow these steps to protect yourself. If you use Internet Explorer, as stated above, your risk is not nearly as great although it does exist. IE 7 users can play it safe by configuring the browser's AutoComplete feature to exclude user names and passwords on forms. For other versions of IE, you will find your AutoComplete or password save features in your Internet Options. Disable password saving and erase existing passwords within the browser. Be sure to keep your user names and passwords in a safe place prior to erasing anything.
