Mozilla today made bug #360493 public. It describes an attack using cross-site forms and a security flaw in the Firefox Password Manager to read stored passwords for a different site. There is a proof of concept that demonstrates that the bug can even be abused without any hint to the user - the form need not be visible for the auto-fill of the credentials to work, and Firefox does not even give a warning.
The type of attack has been coined a Reverse Cross-Site Request (RCSR).
As of the time of this post, there is no fix available. However, a possible workaround is to set a Master Password and use the Master Password Timeout extension with a very short timeout. One can also disable the password manager altogether.
The bug existed since at least Firefox 1.5. Also, similar bugs seem to exist in at least IE 6 and 7, but Microsoft say they're working on a fix.
iPhone-Entwickler für Festanstellung in Berlin gesucht. Gute Bezahlung und Benefits winken! Reply/DM/Facebook/... @ Fri Feb 26 09:33:43 +0000 2010
Comments are closed for this post