[orangepeel]

From: - Firefox gives passwords away


Firefox gives passwords away
Bugged
By Nick Farrell: Wednesday 22 November 2006, 08:27

THE MOZZARELLA Foundation has issued a security warning on its Firebadger open sauce browser.

Apparently the browser's secure password manager has a nasty habit of telling other people your user name and password.

The problem comes about because Firebadger supplies the username and password stored on one page on a domain to another page on a domain. For example the Username and password input tags on a Myspace user's site will be shared along with the visitor's Myspace.com credentials.

According to Robert Chapin, of Chapin Information Services, who reports the problem on Bugzilla, the flaw means that passwords can be stolen without punters being aware of it.

In the short term, Mozzarella is suggesting avoiding using Password Manager and the Master Password Timeout Firefox extension.

However, an exploit found in the wild mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in.

More here. µ

[Steve]

Thanks for bringing this up.

After further research on your posted links it appears as though this behaviour is not exclusive to Firefox ... both IE6 & 7 (plus their derivatives) also suffer in exactly the same way (quotes below from the links you posted).

With that in mind I have changed the title of your post to make the IE users aware too

Quote:

------- Comment #3 From Bob Clary 2006-11-12 19:38 PST [reply] -------
Note MSIE6|7 do the same.

Quote:

(Microsoft's response on IE, "We are
aware of the issue you reported," makes me wonder if this attack will remain
viable on IE for some time, even after FireFox is fixed.)