Password vulnerability in Firefox 2

The vulnerability is caused due to the Password Manager not properly checking the URL before automatically filling in saved user credentials into forms. This may be exploited to steal user credentials via malicious forms in the same domain.

No patch - workaround is to turn off "Remember passwords for sites"

Once again, myspace is apparently being used to take advantage of the exploit. When the hell are those behind myspace going to get their act together?

http://secunia.com/advisories/23046/
http://news.zdnet.com/2100-1009_22-6137844.html

Proof of concept:
http://www.info-svc.com/news/11-21-2006/rcsr1/

Zdnet says IE7 is vulnerable, but I cannot reproduce this. The Google URL in firefox shows the password:
http://www.google.com/search?q=Chapin+Information+Services&loginuser=sam&loginpass=spade&x=&y=

IE7 does not:
http://www.google.com/search?q=Chapin+Information+Services&loginuser=&loginpass=&x=168&y=47

Published Thu, Nov 23 2006 6:12 by sandi

Comments

# re: Password vulnerability in Firefox 2

Tuesday, January 02, 2007 4:39 PM by patson dzaha

i just want to have access to his account

for some reasons

Spyware Sucks

Blog Recent Posts

Syndication

Search

News

Blog Archive List

Tag Cloud