Saturday, November 25, 2006

Firefox & IE7 Vulnerability- Fake Login Pages

Did you switch to the latest firefox 2 or IE7 lately and you thought you are safe in the holy shit world of internet.

The recent review done by ZD net shows that the flaw lets hackers compromise users' passwords and usernames by presenting them with a fake login form. Firefox Password Manager will automatically enter any saved passwords and usernames into the form.

The data is then automatically sent to an attacker's computer without the user's knowledge, according to the Chapin Information Services site. An exploit for this flaw has already been seen on social-networking site www.MySpace.com , and it could affect anyone using a blog or forum that allows user-generated HTML code to be added, according to ZD net.

At the time of writing this post, no fix is available on the Mozilla site but the bug is reported under the bug list.

Recommendation to Minimise the Risk of Attacks:

Review your server code for the possibility of XSS and RCSR injections, especially operators of encrypted Web sites.

2 comments:

Rohan Chandane said...

:)

Rohan Chandane said...

nice info, Using firefox extentions, we should never try unauthorised extentions and download-install them, there are chances that it should pass some browser info out! it can be used for phishing!

Cheers,
Rohan Chandane