Thursday, 23 November 2006

One of the things that users like about Firefox - it's ability to remember passwords - has suddenly become a liability because of new vulnerability that allows hackers to steal previously saved passwords.

The vulnerability, which affects the latest release of Firefox, version 2.0, has been called a reverse cross-site request (RCSR) by its discoverer Robert Chapin, a Microsoft Certified Engineer.

According to Chapin, the flaw could affect anyone visiting a weblog or forum website that allows user-contributed HTML codes to be added.

Basically, what can occur is that a hacker can put up a fake form on a trusted site like MySpace (which has reportedly already occurred) and users simply have to click on the form for their saved passwords to be transmitted to the hacker's website. Worse still, a hacker can put up an invisible form on a page and users can unwittingly transmit their passwords unwittingly by clicking on the part of the page that contains the invisible form.

On his website, Chapin says that Internet Explorer 7 users could also be vulnerable to such attacks but less so because passwords will not automatically be transitted in Internet Explorer unless the RCSR form appears on the same page as a legitimate login form.

The good news for Firefox users is that the problem is easily fixed until a patch is made available. They can simply untick the remember passwords for sites box which is accessible from the tools menu and selecting options then security.

[link to www.itwire.com.au]