Thursday, November 23, 2006

Security Flaw in FireFox 2 allows Phishing Attacks.


There is a vulnerability in Firefox 2 that allows phishing attacks. The vulnerability is caused due to the Password Manager not properly checking the URL before automatically filling in saved user credentials into forms. This may be exploited to steal user credentials via malicious forms in the same domain. Secunia has reported this problem. Version 2.0 is affected and other versions might be affected too.

This problem seems to be the first major flaw reported in the version 2.o of firefox. There is a crash condition that was reported to exist in Firefox 2 recently but that was not a very common issue. But this is the first major flaw with the latest version. This problem has been dubbed as the reverse cross site request (RCSR) by the person who detected this flaw Mr. Robert Chapin.

Even though this problem is categorized as less critical by the Security firm Secunia the consequences of the flaw being exploited by the malicious people could be highly harmful to the users. Since a fake login page can be easily set up or a page that proxies traffic to a popular website like myspace can be set up and when the password is automatically filled in my the firefox password manager ( it does not verify the server to which te password is send ) it can be easily sniffed by the attacker. This can happen to users logging into blogs or other sites.

Surprisingly the same kind of problem exists with Internet Explorer 7 but since IE does a more thorough check before filling in forms it is vulnerable only if the reverse cross site request (RCSR) page (which is the attack page)appears on the same page as the login page.

Solution:
Disable the "Remember passwords for sites" option in the preferences.
Along with this disabling Password Manager is the other suggested solution.

This problem adds on to the recent multiple vulnerabilities spotted in older versions of FireFox and Sea monkey recently.
You can see that report here.

The other recent issues with Firefox has been reported here:-

Microsoft and Secunia at it again. And FireFox 2 too affected?
All IE 7 and Firefox 2 Vulnerabilities as of date.

Related Reading:-
Everything you wanna know about phishing attacks.

Google