Firefox password manager makes life easier for phishers
A new method of phishing for passwords is currently being discussed on the bug database run by the Mozilla Foundation. Firefox can automatically enter user names and passwords into login forms of known websites, insofar as the user gives permission for the Firefox password manager to store the relevant login data. Yet the Mozilla Foundation's password manager only notes the domain to which that login data belongs. It does not note the subdirectory or HTML file from which the forms originate. Firefox furthermore does not validate the address to which the automatically entered data are sent.
The trick is currently being used in at least one page on MySpace to send phished login data to a Lycos server. A test by heise Security's editors confirms the problem in Firefox: the browser enters the data into visited HTML documents with forms without checking their original location or the destination to which data is sent. Internet Explorer 7 does not demonstrate the same behaviour: when recording locations, it notes the subdirectory to which the form belongs. This makes phishing somewhat more complicated, since attackers must then plant a form into a trusted site; mind you, the flaws in many web sites mean that even this is no longer a major hurdle. The current version of Opera does not enter any data automatically. Users must instead select the appropriate login information with the magic wand.
A demo page of the heise Security Browsercheck illustrates the problem: an "evil" page transfers the password to another server without any user interaction.
- Cross-Site Forms + Password Manager = Security Failure, bug report by Robert Chaplin