Firefox password manager makes life easier for phishers
A new method of phishing for passwords is currently being discussed on the bug database run by the Mozilla Foundation. Firefox can automatically enter user names and passwords into login forms of known websites, insofar as the user gives permission for the Firefox password manager to store the relevant login data. Yet the Mozilla Foundation's password manager only notes the domain to which that login data belongs. It does not note the subdirectory or HTML file from which the forms originate. Firefox furthermore does not validate the address to which the automatically entered data are sent.
This makes it possible, for example, for phishers to create their own login form within their page on MySpace, inducing Firefox automatically to divulge the name and password of a MySpace user. While a click on the Submit button is required for the form to be sent, it's relatively easy to misdirect the user's attention so that he or she doesn't even realise that a form is being dispatched. A tempting name might be provided for the submit button, for example, and the form fields concealed through targeted colour selection or buried beneath other content. JavaScript can also be used to run the submit method on a form without user interaction.
The trick is currently being used in at least one page on MySpace to send phished login data to a Lycos server. A test by heise Security's editors confirms the problem in Firefox: the browser enters the data into visited HTML documents with forms without checking their original location or the destination to which data is sent. Internet Explorer 7 does not demonstrate the same behaviour: when recording locations, it notes the subdirectory to which the form belongs. This makes phishing somewhat more complicated, since attackers must then plant a form into a trusted site; mind you, the flaws in many web sites mean that even this is no longer a major hurdle. The current version of Opera does not enter any data automatically. Users must instead select the appropriate login information with the magic wand.
A demo page of the heise Security Browsercheck illustrates the problem: an "evil" page transfers the password to another server without any user interaction.
- Cross-Site Forms + Password Manager = Security Failure, bug report by Robert Chaplin
(ehe)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
