Firefox 2 Browser Struck by Password Flaw

Firefox 2 Browser Struck by Password Flaw
By David Garrett
November 24, 2006 8:07AM

The Mozilla Foundation, which maintains code for the Firefox browser, has acknowledged that there is a problem with the Firefox Password Manager and has named it bug #360493. Microsoft has also admitted that the newly discovered password bug can affect Internet Explorer as well, but most reports indicate that Firefox is the more likely target because of the way it stores usernames and passwords.

Mozilla's Firefox 2.0 has long been considered a safer Web browser than Microsoft's Internet Explorer, but a new flaw in the Firefox Password Manager, which lets users store usernames and passwords for trusted Web sites, could let hackers steal their login data.
The problem, known as a reverse cross-site request, or RCSR, was first discovered by Robert Chapin, a Microsoft Certified Systems Engineer (MCSE) and I.T, consultant. The RCSR appears on blogs, message boards, or group forums that let users add comments with embedded HTML code.

On sites that allow users to enter code, a hacker can embed a form that tricks the user's browser into sending its username and password information to the hacker's computer. Because the form is embedded on a trusted Web site, the browser's built-in antiphishing protection, which is designed to alert users to fraudulent Web sites, does not detect the problem.

More....