Critical Bug Compromises Security in Firefox 2.0

IE7 also susceptible, but not to the same extent.

Next time you decide to be lazy and let your browser do your work, think twice. The latest finding says that your browser can be tricked to pass on passwords to attackers. Something that will not please you very much. Right?

What is happening?

Attackers have found a new method of extracting information from users. As of now it has been seen on MySpace.com, a social networking site. When users sign in with their username and password, it goes to the attackers first and then to the MySpace server and hence security goes for a toss. Robert Chapin, who discovered the flaw calls it, RCSR – Reverse Cross Site Request vulnerability.

How do they do it?

In simple terms, the communication between you and a website that you wish to login to is a direct communication. There is no one else in between. But in an attack, the attackers trick the user’s browser to send information to them first and then its further passed on to the actual server where it needs to go. The flaw was discovered in late October when it was reported to be taking place across MySpace. The attackers had made a login account by the name of - login_home_index_html and then created a fake login page for users.
Unsuspecting users signed in using the fake login page, which sent all the information to the attackers.

Why does it happen?

There are two simple reasons for it. The first been that, the Firefox’s Password Manager does not perform a thorough check before it decides to send across the password information. Secondly, it does not perform a check whether it is sending the information to the same server that requested it.

Attackers take advantage of these two flaws.

As shown by the MySpace attack the browser did not check back if it was sending the information back to the MySpace server. It just blindly assumed that it was sending it there, whereas the reality was different.

Mozilla’s take on the issue

The Mozilla foundation that handles the Firefox code has acknowledged the problem to be a critical one. As of now no patch has been released for it and they hope to come out with a solution to the problem with the release of Firefox version 2.0.0.1 or 2.0.0.2.

What about IE7?

The same problem is faced by IE7 too, but it is a little less susceptible to the attack on the ground that it does not fill in the fields automatically like Firefox does. Hence it is a little safer. But like Firefox it does not check the server to which it is returning the password information. But IE does check where the login form is coming from. So, if it is from an unknown server then the information will not be sent back. Once the server has been checked it does check it again while transmitting the information back. This loophole still needs to be plugged and no patch has been put up by Microsoft till now.

The remedy

As of now, without the patches, the simple remedy is to disable the Save Passwords feature in your browser.

With Firefox you need to follow the path – TOOLS ? OPTIONS ? SECURITY. And there uncheck the box which says ‘Remember Passwords for Sites’.

A simple solution but it does the trick.

By being a little more alert, users can avert accidents.