Submission + - Firefox 2.0 Password Manager Bug Exposes Passwords
zbuffered writes: "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a myspace user's site will be unhelpfully propagated with the visitor's myspace.com credentials. It was first discovered in the wild by Netcraft on 10-27-06. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the http://login.myspace.com/ site almost perfectly, causing many users to believe they needed to log in.
A description of this new type of attack is available from the bug's original author."
A description of this new type of attack is available from the bug's original author."
