Firefox 2.0 Password Manager Bug Exposes Passwords
zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."
Firefox can be just as bad, if not worse than IE!
scumbags...
Haw haw!
I cloned your RFID weeks ago, and you never knew it happened.
But since I've never been stupid enough to willingly store my passwords anywhere other than my head (yes, I know windows caches passwords, that's why I use linux) my web site passwords are still quite secure, thank you.
Maybe the headline should be "FIREFOX USERS JUST AS STUPID AS EVERYONE ELSE" since clearly people have been using the password manager that never should have been included in the product in the first place.
My kids (7 & 10 years old) were smart enough to figure that one out...