Some hackers are going Phishing on MySpace and catching Safari and FireFox users (including Windows)... PING!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 11/24/2006 10:33:30 PM PST by Swordmaker
Heise Security reports on a phishing vulnerability caused by Firefox's password manager. In a nutshell, because Firefox has the ability to store field entries so it can automatically insert usernames and passwords for previously visited Web sites, maliciously crafted sites can coax the information out and trick the user into submitting (or automatically submit) the private data.
The phishing mechanism, as demonstrated, also affects Safari and the Mac OS X Keychain.
Heise writes:
"The trick is currently being used in at least one page on MySpace to send phished login data to a Lycos server. A test by heise Security's editors confirms the problem in Firefox: the browser enters the data into visited HTML documents with forms without checking their original location or the destination to which data is sent. Internet Explorer 7 does not demonstrate the same behaviour: when recording locations, it notes the subdirectory to which the form belongs. This makes phishing somewhat more complicated, since attackers must then plant a form into a trusted site; mind you, the flaws in many web sites mean that even this is no longer a major hurdle. The current version of Opera does not enter any data automatically. Users must instead select the appropriate login information with the magic wand."
There is a demonstration of the flaw here. We were able to reproduce this bug in-house using both Firefox 2.0 and Safari 2.0.4 under Mac OS X 10.4.8.
For Firefox, this situation can be prevented by simply going to the "Security" pane of the application's preferences and deselecting the "Remember passwords for sites."
For Safari, it can be prevented by going to the "AutoFill" pane in the application's preferences and deselecting "User names and passwords."
NOTE: I was unable to duplicate this on my Mac G5, OS X.4.8, Safari version 2.0.4 (Build 419.3) using their test. Perhaps the test only works on Firefox. - Swordmaker
Some hackers are going Phishing on MySpace and catching Safari and FireFox users (including Windows)... PING!
If you want on or off the Mac Ping List, Freepmail me.
15:25 EST Another critical new security problem could reveal passwords stored by your web browser, as Chapin Information Services and others describe:
CIS Finds Flaws in Firefox v2 Password Manager
Chapin Information Services (CIS) has discovered a new flaw in the Mozilla Firefox web browser that exposes saved passwords to clever attackers.
Given the new nature of this type of attack, CIS has named this a Reverse Cross-Site Request (RCSR) vulnerability.
This flaw could affect anyone visiting a weblog or forum website that allows user-contributed HTML codes to be added.
A proof-of-concept demonstration is available at the CIS website.
RCSR attacks are also actively targeting Microsoft Internet Explorer, however a flaw in Firefox makes the attack much more likely to succeed.
The Password Manager component of FireFox can be exploited to send a username and password combination to an attacker's computer without the user's knowledge.
Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum websites at trusted addresses.
Firefox Password Manager Information Disclosure (SA23046)P
A vulnerability has been discovered in Firefox, which can be exploited by malicious people to conduct phishing attacks.
The vulnerability is caused due to the Password Manager not properly checking the URL before automatically filling in saved user credentials into forms. This may be exploited to steal user credentials via malicious forms in the same domain.
The vulnerability is confirmed in version 2.0.0. Other versions may also be affected.
Solution: Disable the "Remember passwords for sites" option in the preferences.
Critical Firefox hole allows password theft
The flaw lies in Firefox's Password Manager software, which can be tricked into sending password information to an attacker's Web site, said Robert Chapin, president of Chapin Information Services Inc. For this attack to work, attackers need to be able to create HTML (Hypertext Markup Language) forms on the Web site, something that is allowed on blogging and social networking sites.
The attack was used in a MySpace phishing attack reported in late October. In that attack, users registered a MySpace account named login_home_index_html and used it to host a fake log-in page that exploited the flaw.
Like Freerepublic? I can't ever remember my FReeper PW it has been so long since I used it...
Try "123456". ;') I wonder if there's a way to have the system send it to your FReepmail?
Hmm, I don't see it...
http://www.freerepublic.com/perl/edit-account
http://www.freerepublic.com/perl/settings
You can't have the system send your password to your Freepmail account. That would be kind of useless if you weren't logged on and needed your password ;-}
You can have it emailed to the email address you signed up with. If your email isn't current you can change it here:
http://www.freerepublic.com/perl/edit-account
Yeah, I guess that makes more sense, eh? ;')
I think that's just a cookie. Unless you log out after each Freeping session and then are asked to log in each time.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.