• United States



by Dave Gradijan

Firefox Flaw Puts User Passwords at Risk

Nov 27, 20062 mins
CSO and CISOData and Information Security

A bug discovered within Mozilla’s Firefox Web browser enables online scammers to more easily steal log-in and password information from Web surfers who use the browser to visit pages that enable users to build their own HTML forms, such as blogs and social networking sites like, the IDG News Service reports via

The news comes from Robert Chapin, president of Chapin Information Services, who said the issue has to do with Firefox’s Password Manager software, according to the IDG News Service. Said software can be duped into sending the log-in and password information of Web surfers who visit compromised pages to attackers’ sites, the IDG News Service reports.

The Password Manager software within Firefox does not perform adequate analysis in deciding whether to send off password information and doesn’t make sure the server to which it sends such material is the same one that originally requested it, Chapin said, according to the IDG News Service.

The flaw was recently exploited as part of a phishing attack on MySpace users, according to the IDG News Service. In that instance, a MySpace account was created and registered under the name login_home_index_html to host a faux page that could steal users’ password information. The fake page was designed to send off such information to a separate website, and any users who visited it while employing Firefox could have fallen victim to the exploit, the IDG News Service reports.

Developers of the Firefox browser have classified the flaw as critical, according to the IDG News Service.

Chapin said users of Microsoft’s popular Internet Explorer (IE) browser are also at risk due to a similar flaw in that software; however, those users are less likely to fall victim to the scam than Firefox users because IE does a better job of making sure the log-in form submitted to it comes from the appropriate source and not a suspect server, according to the IDG News Service.

Chapin’s description of the flaw—as well as a demonstration on how it works—is available here.

Related Links:

Keep checking in at our CSO Security Feed page for updated news coverage.

-Compiled by Al Sacco