A colleague of mine just sent me this article. This is surprising and frightening at the same time.
http://www.info-svc.com/news/11-21-2006/
Apparently crafty phishers have found a way to tap into the 'Remember my Password for this' feature of Firefox (and from what I was reading, IE6 and IE7 as well) and auto-populate the password field of forms that post to a different domain. This requires some work on the hackers parts, but it works with scary efficiency.
PS This is the Firefox Bugzilla entry for this know bug.
Potential Firefox password manager vulnerability
Moderator: General Moderators
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Yeah, but you'd still need to visit the myspace profile and submit your information.
EDIT:
Actually in the case of using firefox, you need to fill in the username before the password would auto-fill. You'd need myspace, for example, to auto-fill the username thus auto-filling the password. As well, you need to click submit and, before anything, visit the myspace profile.
EDIT 2: And from this example: https://bugzilla.mozilla.org/attachment.cgi?id=245426 I get a warning from firefox explaining how this informations is to be send to an third-partied server. Atleast this is because I have the most recent version of firefox.
EDIT:
Actually in the case of using firefox, you need to fill in the username before the password would auto-fill. You'd need myspace, for example, to auto-fill the username thus auto-filling the password. As well, you need to click submit and, before anything, visit the myspace profile.
EDIT 2: And from this example: https://bugzilla.mozilla.org/attachment.cgi?id=245426 I get a warning from firefox explaining how this informations is to be send to an third-partied server. Atleast this is because I have the most recent version of firefox.
There are 2 issues here. First the fact that FF (and IE apparently) fills in a password without checking the action of the form (going to another domain). That should be solved. In my opinion without a popup asking "Are you sure you want to ... ", as that doesn't work anyway and is irritating only.
But the other thing is that allowing users to use HTML and create forms on their pages is silly. Another reason why user-generated HTML is a bad idea.
But the other thing is that allowing users to use HTML and create forms on their pages is silly. Another reason why user-generated HTML is a bad idea.
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
- AKA Panama Jack
- Forum Regular
- Posts: 878
- Joined: Mon Nov 14, 2005 4:21 pm