[houstonmacbro]

not sure how this affects mac users, but just another headache for the 'net.

damned hackers!

****

Firefox, IE vulnerable to fake login pages?
By Tom Espiner, ZDNet (UK)
Published on ZDNet News: November 22, 2006, 7:09 AM PT

Mozilla's Firefox 2 and Microsoft's Internet Explorer 7 are vulnerable to a flaw that could allow attackers to steal passwords.

Dubbed a reverse cross-site request, or RCSR, vulnerability by its discoverer, Robert Chapin, the flaw lets hackers compromise users' passwords and usernames by presenting them with a fake login form. Firefox Password Manager will automatically enter any saved passwords and usernames into the form.

The data is then automatically sent to an attacker's computer without the user's knowledge, according to the Chapin Information Services site.

Firefox, IE vulnerable to fake login pages? | Tech News on ZDNet

[ghporter]

NEVER, EVER depend on your browser to maintain passwords!!!! That's crazy talk!

Seriously, this isn't as much a flaw in those browsers as a failing of the user. I never let any browser store my passwords (and I dump any usernames the browser does store when I first get it set up) because it's a security risk. Finding out that there's a mechanism to pull UNSUBMITTED data (I didn't see any discussion of how THAT works) from a form is just another reason to NEVER let a browser keep anything like that at all.

The really big deal is not that there is a vulnerability for people who let their browsers save their login data (what a BAD idea that is!), but that MySpace has apparently been completely compromised. There are tons of people who have used the MySpace facility to communicate with their friends, and the particulars of their security mechanisms to restrict access to their more private information to a select few. With the ability to harvest user names and passwords, the bad guys basically own MySpace and everything the members put on it.

[besson3c]

Originally Posted by ghporter 

NEVER, EVER depend on your browser to maintain passwords!!!! That's crazy talk!

Seriously, this isn't as much a flaw in those browsers as a failing of the user. I never let any browser store my passwords (and I dump any usernames the browser does store when I first get it set up) because it's a security risk. Finding out that there's a mechanism to pull UNSUBMITTED data (I didn't see any discussion of how THAT works) from a form is just another reason to NEVER let a browser keep anything like that at all.

The really big deal is not that there is a vulnerability for people who let their browsers save their login data (what a BAD idea that is!), but that MySpace has apparently been completely compromised. There are tons of people who have used the MySpace facility to communicate with their friends, and the particulars of their security mechanisms to restrict access to their more private information to a select few. With the ability to harvest user names and passwords, the bad guys basically own MySpace and everything the members put on it.

Do you trust the OS X Keychain?

[ghporter]

Originally Posted by besson3c 

Do you trust the OS X Keychain?

The keychain? Yes. The browser (and it's possible access to the keychain)? NO.

[besson3c]

Originally Posted by ghporter 

The keychain? Yes. The browser (and it's possible access to the keychain)? NO.

Well, doesn't Safari do the same sort of thing, only the passwords are saved in the Keychain?

[Tsilou B.]

Originally Posted by ghporter 

Finding out that there's a mechanism to pull UNSUBMITTED data (I didn't see any discussion of how THAT works) from a form...

THAT is very easy by using Javascript. It's the same mechanism used in AJAX (Web 2.0) applications. E.g., Take the new beta Google search page that suggests search terms while you're typing. Of course it has to send everything you enter immediately (and before submitting) to the Google servers, otherwise it could not display suggestions.

[Chuckit]

Originally Posted by ghporter 

Seriously, this isn't as much a flaw in those browsers as a failing of the user. I never let any browser store my passwords (and I dump any usernames the browser does store when I first get it set up) because it's a security risk.

That's like saying it's not IE's fault that it can infect your computer with a virus just because you visited a page because, hey, you shouldn't be using IE in the first place.

These browsers offer an autofill feature. If they can't offer it with a reasonable degree of security, they should either not include the feature or put up a warning with flashing red lights before it is enabled.

[ghporter]

ALL autofill features are BAD. It's stupid to depend on your browser to fill in passwords for you, when the whole purpose of the browser is to connect to the Internet and there is no way for you to KNOW that it's not giving your password to a spoofed site. This particular exploit is just a new spin on the older spoof tactics.

Yes, I'm pretty adamant about this. Security is not something you can do half way; you either keep your passwords secure or you don't, and letting the browser handle them for you is NOT secure.

IE can infect your computer because a) you allow an ActiveX component to work when you don't know what it is, b) you visited a site that promised you something for nothing (these are big sources of bugs), c) you clicked on an ad-ANY ad, d) you haven't installed the latest patch for IE, or the one before that... or e) some combination of the above or f) other weirdness. In other words, IE is poo in terms of security, in part because (like a lot of Microsoft products) it tries to do too much. Firefox, on the other hand, doesn't allow ActiveX at all. You can still get into trouble with it, but at least there isn't a gapping hole with a flashing sign that says "infect me!" over it when you're running Firefox.

ANY TIME you're online, you should be suspicious of anything that asks for personal information. Since you cannot (apparently) believe what the page or its address says, then allowing your browser to supply credentials without your input is just dumb. It could be as dumb as this: "Do you have a credit card?" "Yes, and my ATM PIN is 1234, my mother's maiden name is Smith, and my favorite color is blue."

[besson3c]

I see your point ghporter, but mine is that Firefox is no less safe than any other browser that has an Autofill feature, including Safari.

Like somebody said, anything that is typed into a field can be captured on the server end without even submitting a form.

[workerbee]

Originally Posted by ghporter 

ALL autofill features are BAD. It's stupid to depend on your browser to fill in passwords for you (...)

I suspect you don't have to use and work in clients' CMS systems, logging in and out of them, all day long, do you?

Using autofill is or rather was a real time-saver, especially in Firefox with its ability to save several username/password combos for a given login page. Doing the WebConfidential round-trip each and every time is not something I look forward to, especially as I have 174 username/password combos stored there.

[ghporter]

No I don't have to log into and out of a bunch of different systems on a daily basis. Not anymore anyway. I DID have to do that before I retired from the Air Force, and THOSE username/password combinations were a bear. I kept a list ON MY PERSON and used that, as password caching was specifically prohibited.

A utility that handles passwords securely is not the same thing as autofill in a browser, by the way, especially if the utility asks you EVERY TIME if you want to provide credentials or not. Unfortunately, there is not a lot of hard data on how secure any of these things are.