Critical Firefox Hole Allows Password Theft
November 23, 2006 (<a href='http://www.idg.net/' target='_blank'>IDG News Service) – A flaw in Mozilla Corp.'s Firefox browser makes it easy for cybercriminals to steal user information on Web sites where users create their own pages, such as MySpace.com.
The attack was used in a MySpace phishing attack reported in late October. In that attack, users registered a MySpace account named login_home_index_html and used it to host a fake log-in page that exploited the flaw.
Firefox developers rate this bug critical, according to an <a href='https://bugzilla.mozilla.org/show_bug.cgi?id=360493' target='_blank'>entry in the project's Bugzilla database.
Read the full article <a href='http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=17&articleId=9005379&intsrc=hm_topic' target='_blank'>here. A PoC/demonstration can be found <a href='http://www.info-svc.com/news/11-21-2006/rcsr1/' target='_blank'>here and technical information can be found <a href='http://www.info-svc.com/news/11-21-2006/' target='_blank'>here.
ghost
ghost 17 years ago
It's clearly not only about MySpace. It was used in MySpace. Read the whole thing including the technical information (and try out the demonstration if you wish).
ghost 17 years ago
In the MySpace attack, for example, Firefox would check to see if the form was coming from the MySpace.com domain, but did not make sure that the password information was being sent back to a MySpace server. well lol, if firefox still checks whether it still sends the info to myspace.com, my own 0day i have just found in myspace will still work :D
Uber0n 17 years ago
Hmm I never save passwords in my browser or in applications… I don't trust them ^^. I use my head instead :D
ghost 17 years ago
Yeah, i think its a bit dodgy saving passwords anywhere, i try to remember them or create a random one and login my my mail eveytime to get a reset one which i use, so no one can get my passwords :happy:
ghost 17 years ago
Mmm a little old, but just goes to show all you die hard firefox fans that it really isn't the best security-wise. The thing is that cause so few people use it, people haven't bothered to find exploits in it. But thats changing :/
ghost 17 years ago
Didn't you read the Shiflett. All browsers except Opera are vulnerable. It's just the POC which is Firefox
ghost 17 years ago
Wasn't promoting any other browsers, was simply saying firefox really isnt all that secure… at least not as secure as everyone is saying…
ghost 17 years ago
yeah….i dont use that save password function for this reason and i use opera for anything that is secure or anything dealing with money (paypal, tution payments,ect) but, i agree with blumoose, it does prove that FF isnt the end all and also proves that a foolproof system will fail, because there is always a fool
ghost 17 years ago
wow…I really hate MySpace, so I think that was quite clever. And Opera is nice, from what I understand, it was the first browser to use tabs. I agree w/ only_samurai, it is great for dealing w/ money and secure stuff