p2pnet.net — Are you one of those people who lets Firefox save your passwords so you don't have to type them in again? That might not be such a good idea, Robert Chapin says. That's because he's found a new security hole in the Mozilla Firefox web browser he's calling a Reverse Cross-Site Request (RCSR).
Nov 21, 2006 View in Crawl 4
arunforceNov 23, 2006
It's called phishing, dumbass.Now give me my 5 bucks.
xswagNov 23, 2006
What about KeePass? Thats my new favorite password manager and you can use it from a USB Flash Drive.<a class="user" href="http://keepass.sourceforge.net/">http://keepass.sourceforge.net/</a>
triple110Nov 23, 2006
@NovaMonketA mental note you should make to yourself...admitting that you have committed a crime on a very public website will only lead to cars with pretty lights at your door. If you think you are going to become some famous haxor now, your are wrong. Grow up
Closed AccountNov 23, 2006
This is a problem for websites that allow *any* user provided HTML, like myspace. A malicious user can present their own login form.Here's the issue: browsers like Firefox and IE will autofill this malicious login form with your myspace username and password, without any intervention on your part. The form could even be hidden from view. The browsers do this because the form is hosted from the myspace.com domain, even though it was created by some malicious user. Then, the malicious page simply gets you to click on something that will submit form, like a movie or picture, and presto, your password is submitted to the destination of their choice without you knowing that anything is irregular.Most web sites don't allow users to generate this kind of html -- the exploit can't be used to get your Digg password or your bank account -- but it can be used on myspace. It's one of many exploits that target myspace users. Outside of myspace it's not a threat.
zanzamanNov 23, 2006
Mac OSX: the hack mentionned reveal login & password in Firefox but NOT in Safari
lecherousvenomNov 23, 2006
@ Caffeine: Thanks for the explanation....makes more sense now.
poseitunNov 24, 2006
You have to CTRL-Click or press CTRL-Enter in Opera to use a prestored password in a login box. Usually you don't use this key-combo for clicking on an image ;-)So Opera is not vulnerable in the same way as FF. But if you can trick a user to ctrl+click on an image (like this exploit)... I think you are all set... I haven't tested it though.
joeysafeNov 26, 2006
@poseitonGood explanation, bad guess (tested). Opera is safe as pie and all I use.
kb1775Nov 29, 2006
this is a major security concern and could potentially have a large impact on electronic commerce if word gets out. So many people shop online and use electronic transactions because they believe the transactions to be safe/secure and reliable. With so many companies depending on electronic commerce to support their buisness and so many people using passwords to shop online, this bug could be disasterous to ecommerce. Seems like the ease of saving your password online might be outweighted by the possibility of having someone steal your password to myspace and than try it on everyother site you visited to buy something. Some of those sights have credit card information and other sensitive information stored on them as well.
drdemoMar 14, 2007
If you are inclined to allow the saving of passwords.All is safe again, thanks to Sebastian Tschan. We now have the Opera functionality with a Firefox Extension...Secure Login: <a class="user" href="https://addons.mozilla.org/firefox/4429/">https://addons.mozilla.org/firefox/4429/</a>A login extension similar to Opera's Wand login.It uses the built-in password manager, but deactivates the prefilling of login forms.