Mozilla’s Firefox 2 and Microsoft’s Internet Explorer 7 are vulnerable to a flaw that could allow attackers to steal passwords. Dubbed a reverse cross-site request, or RCSR, vulnerability by its discoverer, Robert Chapin, the flaw lets hackers compromise users’ passwords and usernames by presenting them with a fake login form.
Firefox Password Manager will automatically enter any saved passwords and usernames into the form. The data is then automatically sent to an attacker’s computer without the user’s knowledge, according to the Chapin Information Services site.
An exploit for this flaw has already been seen on social-networking site MySpace.com, and it could affect anyone using a blog or forum that allows user-generated HTML code to be added, according to Chapin. “Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum Web sites at trusted addresses,” Chapin said.
According to security company Netcraft, which discovered the exploit being used on MySpace, a fraudulent login page was hosted on the company’s own servers.