Multiple Browsers Vulnerable to Password Theft
Saturday, November 25th, 2006In what’s being termed a Reverse Cross-Site Request (RCSR) vulnerability by Chapin Information Services (CIS), brought to light after a phishing scam on MySpace, multiple browsers across multiple platforms are vulnerable.
There’s been a lot of hype over the vulnerability in Firefox, mostly from the fanboi’s of a competing browser. This has been called a flaw, a security hole and has even been labeled “Critical” by some. This is not the case. This vulnerability has been classified as “less critical’ by Secunia and “low risk” by FrSIRT. Well, guess what? Firefox is not the only browser vulnerable to this type of attack, Internet Explorer 7, Netscape and Safari are vulnerable as well.
This vulnerability could affect anyone, using FireFox, IE7, Netscape and Safari, visiting a website that allows user-contributed HTML code.
The browser is not directly fooled, by the RCSR exploit. Instead the user is presented with a fake login page that fool’s the browser into providing the UserID and Log-In information. None of these browsers were designed to check the form data before submission.
The risk to the average user is negligible, diligence on the part of the user and this type of exploit is not successful. However, this type of attack can be particularly effective, as the user is presented with a Log-In page very similar to the one they are used to seeing on a website they trust.
The Firefox developers are actively pursuing a fix that will be forth coming in either version 2.0.0.1 or 2.0.0.2. The fix is a bit more problematic than most as it will require changes in the “User Interface”. The fix may not make it into 2.0.0.1 because of this. Earlier versions of Firefox are also affected, it is not clear if a fix is forthcoming for those versions.
Firefox developer discussion at Bugzilla Bug 360493 Cross-Site Forms + Password Manager = Security Failure
Microsoft has acknowledged the vulnerability, but inquires by Chapin Information Services (CIS) have been met with this response from Microsoft.
“We are aware of the issue you reported.” And, “As a matter of policy, we cannot comment on ongoing investigations.”
It may be months before a fix is available for Internet Explorer 7
I have located no official documentation or statements by Apple regarding this vulnerability in Safari.
How to Protect Yourself
- Firefox: Disable the Password Manager.
1.Click on Edit -> Preferences
2.In the Firefox Preferences window, select Security.
3.Make sure the following are unchecked under Passwords:
- Remember passwords for sites
- Internet Explorer 7: Disable ActiveX
- IE > Tools > Internet Options > Security > Trusted Sites
- Change to Custom, scroll down to “Active X controls and plugins” either change to “Prompt” or “Disable”.
- Netscape: Disable the “Automatically Fill Passcard” or “Automatically Log In” option in the preferences of Passcard Manager and always check the URL before invoking it.
- Safari: Disable AutoFill
1. Click on Edit -> Preferences
2. Under AutoFill, make sure the following are unchecked :
- User names and passwords
UPDATED: (30 November 2006)
ADDED: Netscape, as a vulnerable browser
ADDED: Secunia Advisory 23066
ADDED: Secunia Advisory 23108
References:
Phishing potentiality affects Safari, Firefox password storage
CIS Finds Flaws in Firefox v2 Password Manager
Bugzilla Bug 360493 Cross-Site Forms + Password Manager = Security Failure
Firefox, IE Vulnerable to Password Theft
Firefox Password Manager information Disclosure
Internet Explorer 7 “mhtml:” Redirection Information Disclosure
Mozilla Firefox Password Manager Arbitrary Credentials Disclosure Vulnerability
Netscape Passcard Manager Information Disclosure
Safari AutoFill Information Disclosure
