If you were a person who lets Firefox saves your passwords, you might want to consider the downside of doing this routine. New exploit known as Reverse Cross-Site Request (RCSR), can expose passwords saved at a website (weblog or forum) that allows user-contributed-HTML codes to be added.
This security hole exposes Firefox users to greater vulnerability as compared to Internet Explorer 7, eventhough RCSR attacks are highly targeting the Internet Explorer 7.
A recent large-scale attack using RCSR targeted MySpace.com users and was first reported by Netcraft 10/27/2006. That incident involved fake login forms on the MySpace website inviting users to type in their username and password.Chapin says worsening the problem is the fact forms can be completely hidden from view. After saving a website password in Firefox, it's possible for that password to be transmitted to another website by unwittingly clicking on an invisible image link
You can see yourself how this exploit works by visiting this link. Enter any username or password (random alphabets and numbers will do) and you will be brought to a new site with youtube video embedded in that new page. Take a closer look and you will notice that if you click on the video you will be brought to, fortunately, google search page (phisher can redirect your password to their website).
Yeah, it's scary indeed. Even you are well aware of this issue, the chance is still there for you to fall into this trap, as these login forms are having professional look and appear to be "official" and "original".
Source: P2pNet
Technorati Tags: security, firefox loophole
Nov 29, 2006 at 11:35:11
woo.. aku bnyk save kat firefox je..
kene pakai roboform ni..
thanx for the info dude.. :D
Nov 29, 2006 at 12:09:45
no prob :) aku dulu pun ingat benda alah ni ok je..tp aku xpenah pakai..