Firefox, IE7 Vulnerable to Fake Log-in

Ken-Hardin

Both Firefox and Microsoft IE 7 are vulnerable to a form of fake log-in attack that was used in a MySpace scam last month.

 

Researcher Robert Chapin, who discovered the attack, says a piece of HTML embedded on a genuine site page (in this case, a MySpace profile) prompts a user to log in, taking particular advantage of password autofill features in Firefox and the fact that neither browser checks carefully enough to see where it is sending password information.

 

Security is the biggest push for both new browsers, but seemingly, criminals are still up to the challenge of discovering ways to rip you off.



Add Comment      Leave a comment on this blog post
Nov 26, 2006 3:32 AM Biju Biju  says:
https://bugzilla.mozilla.org/show_bug.cgi?id=360493 What Robert Chapin found was not a browser flaw, it is a myspace.com flaw due to insufficient sanitizing done by myspace.com on user submitted content.Cross site form submit is a features very much used around 10 years or more. If you stop that even big sites like Bank of America or many sites useing MS passport.net service will stop functioning.As of Nov 25, I have not seen mozilla.org acknowledge it as a flaw.see http://www.mozilla.org/projects/security/known-vulnerabilities.html Reply
Dec 11, 2006 10:44 AM melon melon  says:
Don’t worry. Mozilla fixes the bugs faster them other browser, becouse is faster. Did you know that you can significantly speed up Firefox? You can find manual how to easily tweak Firefox over here: http://www.miscproject.com/blog/about/ Reply
Feb 8, 2007 8:07 AM chris chris  says:

I did a search on this cause I knew someone would do it, fed by a bit of paranoia on my part. The simplest way to fix it is In the Password Remember options; the user selects or types something that should be shown every time the box comes up eg. Welcome message H3ll0 Cr4zy M4n! Thus, if you don't see that in the global password request box then you would know it's a phis attempt   Is that the best solution or what                          

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.