A software security researcher has warned that the password manager featuresof Mozilla’s open source Firefox 2.0 and Microsoft’s InternetExplorer (IE) Web browsers could be exploited, placing unsuspecting users at risk.
Users of Firefox or Explorer, both of which may bevulnerable to the attack known as “Reverse Cross Site Request” (RCSR), are not fooled directly by the password theft exploit. Instead, it provides a fake login site that fools a browser’s saved password feature into automatically providing the information, Robert Chapin, president of Chapin Information Services, reported.
Neither the latest Firefox 2.0 nor Explorer 7 browser were designed to check the destination of form data before submission, thus making them vulnerable to the weakness.
Because the exploit is actually conducted at a trusted Web site, theuser sees a trusted address in the browser bar, according to Chapin.
“Users of both Firefox and Internet Explorer need to be aware thattheir information can be stolen in this way when visiting blog and forumWeb sites at trusted addresses,” Chapin wrote for his security siteChapin Information Services (CIS).
Don’t Remember My Password
Both Microsoft and Mozilla acknowledged the issue, with the formerreferring to an investigation, and the latter, which has a bug report onthe issue, advising users to turn off the password manager in Firefoxuntil it is fixed.
The password managers in browsers help millions of Internet users logonto blogging, social networking, Web mail, portal and an array of othersites, and the RCSR vulnerability was reportedly exploited on thepopular site MySpace, Chapin said.
The RCSR attack could also be combined with a bogus phishing site totarget the attack for more valuable passwords and information, such asonline banking, IT-Harvest Chief Research Analyst Richard Stiennon toldTechNewsWorld.
“From here on out, best practice is going to be to stop using[password managers],” he said.
Bigger Hole for Firefox
The vast majority of Internet attacks and scams are aimed at Windowsusers, and while Firefox typically enjoys a security advantage becauseof its separation from the operating system and faster response toissues, the RCSR is one instance in which the open source browser may be more risky than IE, according to Chapin. He said he reported the issue to Mozilla earlier this month.
While neither browser bolsters password protection for the RCSR scheme, Firefox automatically fills in saved user names and passwords when presented with bogus sign-in forms, Chapin warned.
“This behavior does not occur in Internet Explorer unless the RCSRform appears on the same page as a legitimate login form,” he pointed out.
Mozilla, which has displayed the speed and transparency advantages ofits open source development for security before, is reportedly workingon a fix.
The password manager vulnerability is made worse by thefact that the fake sign-in forms can be completely hidden from view, Chapin reported, thus allowing a saved password to be transmitted to another siteunwittingly by clicking an invisible image link.
Chapin recommended changes for both Firefox and Explorer, adding thatWebmasters should review server code for the possibility of RCSR andcross-site scripting (XSS) injections, particularly for encrypted sites.
Attacks leveraging the password manager weaknesses could work againstfirewalled, local network servers and HTTPS addresses that would nototherwise be available, because no direct access or client-side scriptingis needed, Chapin said.